# Flog Txt Version 1 # Analyzer Version: 3.2.1 # Analyzer Build Date: Jan 15 2020 08:26:44 # Log Creation Date: 18.01.2020 19:37:27.276 Process: id = "1" image_name = "dp_main.exe" filename = "c:\\users\\fd1hvy\\desktop\\dp_main.exe" page_root = "0x10d4f000" os_pid = "0x10c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x740" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x12c4 [0046.932] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0047.150] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", nBufferLength=0x105, lpBuffer=0xf1e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", lpFilePart=0x0) returned 0x23 [0047.192] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", nBufferLength=0x105, lpBuffer=0xf1e140, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", lpFilePart=0x0) returned 0x23 [0047.196] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\", nBufferLength=0x105, lpBuffer=0xf1e050, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\", lpFilePart=0x0) returned 0x18 [0047.200] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\", nBufferLength=0x105, lpBuffer=0xf1e240, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\", lpFilePart=0x0) returned 0x18 [0047.200] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\", nBufferLength=0x105, lpBuffer=0xf1e140, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\", lpFilePart=0x0) returned 0x18 [0047.216] GetVersionExW (in: lpVersionInformation=0xf1e1a0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xf1e1a0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0047.231] GetVersionExW (in: lpVersionInformation=0xf1e1a0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xf1e1a0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0048.730] CoCreateGuid (in: pguid=0xf1da60 | out: pguid=0xf1da60*(Data1=0xf5928fa7, Data2=0xce53, Data3=0x488c, Data4=([0]=0x94, [1]=0x86, [2]=0xe9, [3]=0x1e, [4]=0x91, [5]=0x65, [6]=0x3f, [7]=0x66))) returned 0x0 [0048.733] GetVersionExW (in: lpVersionInformation=0xf1d940*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xf1d940*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0048.807] CoCreateGuid (in: pguid=0xf1da60 | out: pguid=0xf1da60*(Data1=0xe1adc123, Data2=0xe56a, Data3=0x40ce, Data4=([0]=0xb5, [1]=0xcc, [2]=0x41, [3]=0x17, [4]=0x11, [5]=0xbd, [6]=0x6, [7]=0x2a))) returned 0x0 [0049.407] GetConsoleWindow () returned 0x50072 [0049.538] ShowWindow (hWnd=0x50072, nCmdShow=0) returned 1 [0049.702] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0049.702] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0049.703] CoTaskMemFree (pv=0x10bd8a0) [0049.703] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e630, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0049.703] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\welldone.dp", nBufferLength=0x105, lpBuffer=0xf1e790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\welldone.dp", lpFilePart=0x0) returned 0x2e [0049.703] GetVersionExW (in: lpVersionInformation=0xf1e840*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xf1e840*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0049.704] SetErrorMode (uMode=0x1) returned 0x0 [0049.705] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\welldone.dp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dp\\welldone.dp"), fInfoLevelId=0x0, lpFileInformation=0xf1e9a0 | out: lpFileInformation=0xf1e9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0049.706] SetErrorMode (uMode=0x0) returned 0x1 [0050.036] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0050.036] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0050.036] CoTaskMemFree (pv=0x10bd8a0) [0050.036] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0050.036] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP", nBufferLength=0x105, lpBuffer=0xf1e730, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP", lpFilePart=0x0) returned 0x22 [0050.038] SetErrorMode (uMode=0x1) returned 0x0 [0050.038] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dp"), fInfoLevelId=0x0, lpFileInformation=0xf1e940 | out: lpFileInformation=0xf1e940*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0050.038] SetErrorMode (uMode=0x0) returned 0x1 [0050.038] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP", nBufferLength=0x105, lpBuffer=0xf1e740, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP", lpFilePart=0x0) returned 0x22 [0050.047] SetErrorMode (uMode=0x1) returned 0x0 [0050.047] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dp"), fInfoLevelId=0x0, lpFileInformation=0xf1e860 | out: lpFileInformation=0xf1e860*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0050.047] SetErrorMode (uMode=0x0) returned 0x1 [0050.047] SetErrorMode (uMode=0x1) returned 0x0 [0050.047] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming"), fInfoLevelId=0x0, lpFileInformation=0xf1e860 | out: lpFileInformation=0xf1e860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xf5cdf86b, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf5cdf86b, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0050.048] SetErrorMode (uMode=0x0) returned 0x1 [0050.048] SetErrorMode (uMode=0x1) returned 0x0 [0050.048] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData" (normalized: "c:\\users\\fd1hvy\\appdata"), fInfoLevelId=0x0, lpFileInformation=0xf1e860 | out: lpFileInformation=0xf1e860*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0050.048] SetErrorMode (uMode=0x0) returned 0x1 [0050.048] SetErrorMode (uMode=0x1) returned 0x0 [0050.048] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy"), fInfoLevelId=0x0, lpFileInformation=0xf1e860 | out: lpFileInformation=0xf1e860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0050.048] SetErrorMode (uMode=0x0) returned 0x1 [0050.048] SetErrorMode (uMode=0x1) returned 0x0 [0050.048] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xf1e860 | out: lpFileInformation=0xf1e860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0050.048] SetErrorMode (uMode=0x0) returned 0x1 [0050.049] CreateDirectoryW (lpPathName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dp"), lpSecurityAttributes=0x0) returned 1 [0050.140] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\RunAsAdmin.dp", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\RunAsAdmin.dp", lpFilePart=0x0) returned 0x30 [0050.141] SetErrorMode (uMode=0x1) returned 0x0 [0050.144] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\RunAsAdmin.dp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dp\\runasadmin.dp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2a4 [0050.184] GetFileType (hFile=0x2a4) returned 0x1 [0050.184] SetErrorMode (uMode=0x0) returned 0x1 [0050.184] GetFileType (hFile=0x2a4) returned 0x1 [0050.192] WriteFile (in: hFile=0x2a4, lpBuffer=0x2fcb200*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0xf1e908, lpOverlapped=0x0 | out: lpBuffer=0x2fcb200*, lpNumberOfBytesWritten=0xf1e908*=0x1, lpOverlapped=0x0) returned 1 [0050.196] CloseHandle (hObject=0x2a4) returned 1 [0050.360] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xf1da50 | out: lpLuid=0xf1da50*(LowPart=0x14, HighPart=0)) returned 1 [0050.366] GetCurrentProcess () returned 0xffffffffffffffff [0050.367] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0xf1da70 | out: TokenHandle=0xf1da70*=0x2fc) returned 1 [0050.369] AdjustTokenPrivileges (in: TokenHandle=0x2fc, DisableAllPrivileges=0, NewState=0x2fcc2d8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0050.373] CloseHandle (hObject=0x2fc) returned 1 [0050.381] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12fc9070, Length=0x20000, ResultLength=0xf1ea60 | out: SystemInformation=0x12fc9070, ResultLength=0xf1ea60*=0x27100) returned 0xc0000004 [0050.388] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12fe90a0, Length=0x29900, ResultLength=0xf1ea60 | out: SystemInformation=0x12fe90a0, ResultLength=0xf1ea60*=0x27100) returned 0x0 [0050.582] GetVersionExW (in: lpVersionInformation=0xf1e9e0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xf1e9e0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0050.584] GetCurrentProcess () returned 0xffffffffffffffff [0050.585] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xf1ea78 | out: TokenHandle=0xf1ea78*=0x30c) returned 1 [0050.589] GetTokenInformation (in: TokenHandle=0x30c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xf1e998 | out: TokenInformation=0x0, ReturnLength=0xf1e998) returned 0 [0050.590] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1099d60 [0050.590] GetTokenInformation (in: TokenHandle=0x30c, TokenInformationClass=0x8, TokenInformation=0x1099d60, TokenInformationLength=0x4, ReturnLength=0xf1e998 | out: TokenInformation=0x1099d60, ReturnLength=0xf1e998) returned 1 [0050.593] DuplicateTokenEx (in: hExistingToken=0x30c, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0xf1eaf8 | out: phNewToken=0xf1eaf8*=0x310) returned 1 [0050.593] GetTokenInformation (in: TokenHandle=0x30c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xf1e998 | out: TokenInformation=0x0, ReturnLength=0xf1e998) returned 0 [0050.593] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1099bc0 [0050.593] GetTokenInformation (in: TokenHandle=0x30c, TokenInformationClass=0x8, TokenInformation=0x1099bc0, TokenInformationLength=0x4, ReturnLength=0xf1e998 | out: TokenInformation=0x1099bc0, ReturnLength=0xf1e998) returned 1 [0050.594] CheckTokenMembership (in: TokenHandle=0x310, SidToCheck=0x30132b8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0xf1eb08 | out: IsMember=0xf1eb08) returned 1 [0050.594] CloseHandle (hObject=0x310) returned 1 [0050.595] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x130129d0, Length=0x20000, ResultLength=0xf1ea60 | out: SystemInformation=0x130129d0, ResultLength=0xf1ea60*=0x27100) returned 0xc0000004 [0050.598] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x13032a00, Length=0x29900, ResultLength=0xf1ea60 | out: SystemInformation=0x13032a00, ResultLength=0xf1ea60*=0x27100) returned 0x0 [0050.647] GetFullPathNameW (in: lpFileName="id.dp", nBufferLength=0x105, lpBuffer=0xf1e790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\id.dp", lpFilePart=0x0) returned 0x1d [0050.647] SetErrorMode (uMode=0x1) returned 0x0 [0050.647] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\id.dp" (normalized: "c:\\users\\fd1hvy\\desktop\\id.dp"), fInfoLevelId=0x0, lpFileInformation=0xf1e9a0 | out: lpFileInformation=0xf1e9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0050.647] SetErrorMode (uMode=0x0) returned 0x1 [0050.744] GetFullPathNameW (in: lpFileName="id.dp", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\id.dp", lpFilePart=0x0) returned 0x1d [0050.744] SetErrorMode (uMode=0x1) returned 0x0 [0050.744] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\id.dp" (normalized: "c:\\users\\fd1hvy\\desktop\\id.dp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0050.745] GetFileType (hFile=0x310) returned 0x1 [0050.745] SetErrorMode (uMode=0x0) returned 0x1 [0050.745] GetFileType (hFile=0x310) returned 0x1 [0050.745] WriteFile (in: hFile=0x310, lpBuffer=0x305a208*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0xf1e968, lpOverlapped=0x0 | out: lpBuffer=0x305a208*, lpNumberOfBytesWritten=0xf1e968*=0x8, lpOverlapped=0x0) returned 1 [0050.746] CloseHandle (hObject=0x310) returned 1 [0050.749] QueryPerformanceFrequency (in: lpFrequency=0xf1dc90 | out: lpFrequency=0xf1dc90*=100000000) returned 1 [0050.791] QueryPerformanceCounter (in: lpPerformanceCount=0xf1eba0 | out: lpPerformanceCount=0xf1eba0*=20928089099) returned 1 [0051.024] CoTaskMemAlloc (cb=0x20c) returned 0x10bd020 [0051.024] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x10bd020 | out: pszPath="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0051.025] CoTaskMemFree (pv=0x10bd020) [0051.025] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x105, lpBuffer=0xf1e5b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0x0) returned 0x19 [0051.025] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0051.025] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Program Files") returned 0x0 [0051.026] CoTaskMemFree (pv=0x10bd8a0) [0051.026] GetFullPathNameW (in: lpFileName="C:\\Program Files", nBufferLength=0x105, lpBuffer=0xf1e5b0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files", lpFilePart=0x0) returned 0x10 [0051.026] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\DecryptionInfo.auth", nBufferLength=0x105, lpBuffer=0xf1e710, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\DecryptionInfo.auth", lpFilePart=0x0) returned 0x2d [0051.026] SetErrorMode (uMode=0x1) returned 0x0 [0051.026] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\DecryptionInfo.auth" (normalized: "c:\\users\\fd1hvy\\documents\\decryptioninfo.auth"), fInfoLevelId=0x0, lpFileInformation=0xf1e920 | out: lpFileInformation=0xf1e920*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0051.026] SetErrorMode (uMode=0x0) returned 0x1 [0051.026] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DP\\DecryptionInfo.auth", nBufferLength=0x105, lpBuffer=0xf1e710, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DP\\DecryptionInfo.auth", lpFilePart=0x0) returned 0x27 [0051.027] SetErrorMode (uMode=0x1) returned 0x0 [0051.027] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\DP\\DecryptionInfo.auth" (normalized: "c:\\program files\\dp\\decryptioninfo.auth"), fInfoLevelId=0x0, lpFileInformation=0xf1e920 | out: lpFileInformation=0xf1e920*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0051.027] SetErrorMode (uMode=0x0) returned 0x1 [0051.635] GetACP () returned 0x4e4 [0051.692] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0051.693] WriteFile (in: hFile=0x50, lpBuffer=0xf1ea74*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0xf1e958, lpOverlapped=0x0 | out: lpBuffer=0xf1ea74*, lpNumberOfBytesWritten=0xf1e958*=0x0, lpOverlapped=0x0) returned 1 [0051.730] GetConsoleOutputCP () returned 0x1b5 [0051.782] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xf1e958, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e958*=0x3, lpOverlapped=0x0) returned 1 [0051.816] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1e9c8, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e9c8*=0x2, lpOverlapped=0x0) returned 1 [0051.852] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xf1e958, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e958*=0x3, lpOverlapped=0x0) returned 1 [0051.899] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1e9c8, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e9c8*=0x2, lpOverlapped=0x0) returned 1 [0051.963] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xf1e958, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e958*=0x3, lpOverlapped=0x0) returned 1 [0052.012] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1e9c8, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e9c8*=0x2, lpOverlapped=0x0) returned 1 [0052.058] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xf1e958, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e958*=0x3, lpOverlapped=0x0) returned 1 [0052.103] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1e9c8, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e9c8*=0x2, lpOverlapped=0x0) returned 1 [0052.153] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xf1e958, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e958*=0x3, lpOverlapped=0x0) returned 1 [0052.209] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1e9c8, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e9c8*=0x2, lpOverlapped=0x0) returned 1 [0052.246] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xf1e958, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e958*=0x3, lpOverlapped=0x0) returned 1 [0052.331] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1e9c8, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e9c8*=0x2, lpOverlapped=0x0) returned 1 [0052.368] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xf1e958, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e958*=0x3, lpOverlapped=0x0) returned 1 [0052.434] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1e9c8, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e9c8*=0x2, lpOverlapped=0x0) returned 1 [0052.474] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xf1e958, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e958*=0x3, lpOverlapped=0x0) returned 1 [0052.511] WriteFile (in: hFile=0x50, lpBuffer=0x306aa68*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1e9c8, lpOverlapped=0x0 | out: lpBuffer=0x306aa68*, lpNumberOfBytesWritten=0xf1e9c8*=0x2, lpOverlapped=0x0) returned 1 [0052.647] CoTaskMemAlloc (cb=0x20c) returned 0x10bcbe0 [0052.647] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x10bcbe0 | out: pszPath="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0052.647] CoTaskMemFree (pv=0x10bcbe0) [0052.647] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x105, lpBuffer=0xf1e530, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0x0) returned 0x19 [0052.647] CoTaskMemAlloc (cb=0x20c) returned 0x10bd020 [0052.647] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x10bd020 | out: pszPath="C:\\Program Files") returned 0x0 [0052.647] CoTaskMemFree (pv=0x10bd020) [0052.647] GetFullPathNameW (in: lpFileName="C:\\Program Files", nBufferLength=0x105, lpBuffer=0xf1e530, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files", lpFilePart=0x0) returned 0x10 [0052.647] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\DecryptionInfo.auth", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\DecryptionInfo.auth", lpFilePart=0x0) returned 0x2d [0052.648] SetErrorMode (uMode=0x1) returned 0x0 [0052.648] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\DecryptionInfo.auth" (normalized: "c:\\users\\fd1hvy\\documents\\decryptioninfo.auth"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x344 [0052.648] GetFileType (hFile=0x344) returned 0x1 [0052.648] SetErrorMode (uMode=0x0) returned 0x1 [0052.648] GetFileType (hFile=0x344) returned 0x1 [0052.649] WriteFile (in: hFile=0x344, lpBuffer=0x30732f0*, nNumberOfBytesToWrite=0x64c, lpNumberOfBytesWritten=0xf1e868, lpOverlapped=0x0 | out: lpBuffer=0x30732f0*, lpNumberOfBytesWritten=0xf1e868*=0x64c, lpOverlapped=0x0) returned 1 [0052.650] CloseHandle (hObject=0x344) returned 1 [0052.651] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DP", nBufferLength=0x105, lpBuffer=0xf1e6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DP", lpFilePart=0x0) returned 0x13 [0052.651] SetErrorMode (uMode=0x1) returned 0x0 [0052.651] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\DP" (normalized: "c:\\program files\\dp"), fInfoLevelId=0x0, lpFileInformation=0xf1e7c0 | out: lpFileInformation=0xf1e7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.651] SetErrorMode (uMode=0x0) returned 0x1 [0052.651] SetErrorMode (uMode=0x1) returned 0x0 [0052.651] GetFileAttributesExW (in: lpFileName="C:\\Program Files" (normalized: "c:\\program files"), fInfoLevelId=0x0, lpFileInformation=0xf1e7c0 | out: lpFileInformation=0xf1e7c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfd4e1535, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xfd4e1535, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0052.651] SetErrorMode (uMode=0x0) returned 0x1 [0052.651] CreateDirectoryW (lpPathName="C:\\Program Files\\DP" (normalized: "c:\\program files\\dp"), lpSecurityAttributes=0x0) returned 1 [0052.652] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DP\\DecryptionInfo.auth", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DP\\DecryptionInfo.auth", lpFilePart=0x0) returned 0x27 [0052.653] SetErrorMode (uMode=0x1) returned 0x0 [0052.653] CreateFileW (lpFileName="C:\\Program Files\\DP\\DecryptionInfo.auth" (normalized: "c:\\program files\\dp\\decryptioninfo.auth"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x344 [0052.653] GetFileType (hFile=0x344) returned 0x1 [0052.653] SetErrorMode (uMode=0x0) returned 0x1 [0052.653] GetFileType (hFile=0x344) returned 0x1 [0052.653] WriteFile (in: hFile=0x344, lpBuffer=0x3076278*, nNumberOfBytesToWrite=0x64c, lpNumberOfBytesWritten=0xf1e868, lpOverlapped=0x0 | out: lpBuffer=0x3076278*, lpNumberOfBytesWritten=0xf1e868*=0x64c, lpOverlapped=0x0) returned 1 [0052.654] CloseHandle (hObject=0x344) returned 1 [0054.423] lstrlenW (lpString="䅁") returned 1 [0054.512] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0054.512] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0054.512] CoTaskMemFree (pv=0x10bd680) [0054.512] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0054.512] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP", nBufferLength=0x105, lpBuffer=0xf1e730, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP", lpFilePart=0x0) returned 0x22 [0054.512] SetErrorMode (uMode=0x1) returned 0x0 [0054.512] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dp"), fInfoLevelId=0x0, lpFileInformation=0xf1e940 | out: lpFileInformation=0xf1e940*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3e366bc, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xd3f1b532, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd3f1b532, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0054.513] SetErrorMode (uMode=0x0) returned 0x1 [0054.577] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", nBufferLength=0x105, lpBuffer=0xf1e4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", lpFilePart=0x0) returned 0x23 [0054.636] lstrlenW (lpString="䅁") returned 1 [0054.637] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", nBufferLength=0x105, lpBuffer=0xf1e5b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", lpFilePart=0x0) returned 0x23 [0054.637] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", nBufferLength=0x105, lpBuffer=0xf1e6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", lpFilePart=0x0) returned 0x23 [0054.638] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\DP_Main.exe", nBufferLength=0x105, lpBuffer=0xf1e6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\DP_Main.exe", lpFilePart=0x0) returned 0x2e [0054.640] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\dp_main.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\DP_Main.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dp\\dp_main.exe"), bFailIfExists=1) returned 1 [0054.656] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x2001f, phkResult=0xf1eaf8 | out: phkResult=0xf1eaf8*=0x344) returned 0x0 [0054.661] RegQueryValueExW (in: hKey=0x344, lpValueName="DP_Main", lpReserved=0x0, lpType=0xf1ea0c, lpData=0x0, lpcbData=0xf1ea08*=0x0 | out: lpType=0xf1ea0c*=0x0, lpData=0x0, lpcbData=0xf1ea08*=0x0) returned 0x2 [0054.665] RegSetValueExW (in: hKey=0x344, lpValueName="DP_Main", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\DP_Main.exe", cbData=0x5e | out: lpData="C:\\Users\\FD1HVy\\AppData\\Roaming\\DP\\DP_Main.exe") returned 0x0 [0054.667] RegCloseKey (hKey=0x344) returned 0x0 [0054.793] GetLogicalDrives () returned 0x4 [0054.793] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xf1e580, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0054.903] CoTaskMemAlloc (cb=0x20e) returned 0x10be120 [0054.903] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x10be120 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0054.903] CoTaskMemFree (pv=0x10be120) [0055.039] CoCreateGuid (in: pguid=0xf1e850 | out: pguid=0xf1e850*(Data1=0xc6bf496a, Data2=0xa952, Data3=0x4281, Data4=([0]=0xbc, [1]=0x30, [2]=0x6b, [3]=0xfc, [4]=0xfe, [5]=0x47, [6]=0x12, [7]=0x4b))) returned 0x0 [0055.039] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0055.039] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0055.040] CoTaskMemFree (pv=0x10bd680) [0055.040] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0055.040] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e440, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0055.042] SetErrorMode (uMode=0x1) returned 0x0 [0055.044] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*.*", lpFindFileData=0xf1e5e0 | out: lpFindFileData=0xf1e5e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd44eb16f, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd44eb16f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3290 [0055.045] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd44eb16f, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd44eb16f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.045] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8461af30, ftCreationTime.dwHighDateTime=0x1d5c480, ftLastAccessTime.dwLowDateTime=0xa6fcf660, ftLastAccessTime.dwHighDateTime=0x1d5ba00, ftLastWriteTime.dwLowDateTime=0xa6fcf660, ftLastWriteTime.dwHighDateTime=0x1d5ba00, nFileSizeHigh=0x0, nFileSizeLow=0x61a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="9kqgbPRnCB3J.wav", cAlternateFileName="9KQGBP~1.WAV")) returned 1 [0055.045] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6da183a0, ftCreationTime.dwHighDateTime=0x1d5b653, ftLastAccessTime.dwLowDateTime=0xc750c5f0, ftLastAccessTime.dwHighDateTime=0x1d5c305, ftLastWriteTime.dwLowDateTime=0xc750c5f0, ftLastWriteTime.dwHighDateTime=0x1d5c305, nFileSizeHigh=0x0, nFileSizeLow=0xac0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="aJjJomlXtRW.swf", cAlternateFileName="AJJJOM~1.SWF")) returned 1 [0055.045] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5958240, ftCreationTime.dwHighDateTime=0x1d5ba70, ftLastAccessTime.dwLowDateTime=0x27d0bf0, ftLastAccessTime.dwHighDateTime=0x1d5c551, ftLastWriteTime.dwLowDateTime=0x27d0bf0, ftLastWriteTime.dwHighDateTime=0x1d5c551, nFileSizeHigh=0x0, nFileSizeLow=0x1e7d, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN6-Pxxi.odt", cAlternateFileName="")) returned 1 [0055.046] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c9f2a0, ftCreationTime.dwHighDateTime=0x1d5c588, ftLastAccessTime.dwLowDateTime=0xf92d8ae0, ftLastAccessTime.dwHighDateTime=0x1d5c3eb, ftLastWriteTime.dwLowDateTime=0xf92d8ae0, ftLastWriteTime.dwHighDateTime=0x1d5c3eb, nFileSizeHigh=0x0, nFileSizeLow=0x163c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="AOHiWgJ_sDNW 3pSUMTE.gif", cAlternateFileName="AOHIWG~1.GIF")) returned 1 [0055.046] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bba78e0, ftCreationTime.dwHighDateTime=0x1d5c2c9, ftLastAccessTime.dwLowDateTime=0xa6cf2780, ftLastAccessTime.dwHighDateTime=0x1d5b6fe, ftLastWriteTime.dwLowDateTime=0xa6cf2780, ftLastWriteTime.dwHighDateTime=0x1d5b6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14355, dwReserved0=0x0, dwReserved1=0x0, cFileName="aWNU.m4a", cAlternateFileName="")) returned 1 [0055.046] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a8e60a0, ftCreationTime.dwHighDateTime=0x1d5b6fe, ftLastAccessTime.dwLowDateTime=0x61ef4ce0, ftLastAccessTime.dwHighDateTime=0x1d5c143, ftLastWriteTime.dwLowDateTime=0x61ef4ce0, ftLastWriteTime.dwHighDateTime=0x1d5c143, nFileSizeHigh=0x0, nFileSizeLow=0x4307, dwReserved0=0x0, dwReserved1=0x0, cFileName="d8U.mp3", cAlternateFileName="")) returned 1 [0055.046] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0055.046] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5be4880, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xb5be4880, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xb3f48500, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="DP_Main.exe", cAlternateFileName="")) returned 1 [0055.046] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb321130, ftCreationTime.dwHighDateTime=0x1d5bc6f, ftLastAccessTime.dwLowDateTime=0x2df41ef0, ftLastAccessTime.dwHighDateTime=0x1d5b650, ftLastWriteTime.dwLowDateTime=0x2df41ef0, ftLastWriteTime.dwHighDateTime=0x1d5b650, nFileSizeHigh=0x0, nFileSizeLow=0x7021, dwReserved0=0x0, dwReserved1=0x0, cFileName="FHxozOc_QKE.png", cAlternateFileName="FHXOZO~1.PNG")) returned 1 [0055.046] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddb61640, ftCreationTime.dwHighDateTime=0x1d5b7d6, ftLastAccessTime.dwLowDateTime=0xe32d29b0, ftLastAccessTime.dwHighDateTime=0x1d5c1ef, ftLastWriteTime.dwLowDateTime=0xe32d29b0, ftLastWriteTime.dwHighDateTime=0x1d5c1ef, nFileSizeHigh=0x0, nFileSizeLow=0x8ba5, dwReserved0=0x0, dwReserved1=0x0, cFileName="HAMwLsfXQw AUyW.bmp", cAlternateFileName="HAMWLS~1.BMP")) returned 1 [0055.046] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2c1610, ftCreationTime.dwHighDateTime=0x1d5bcf2, ftLastAccessTime.dwLowDateTime=0x9bda2d90, ftLastAccessTime.dwHighDateTime=0x1d5b8eb, ftLastWriteTime.dwLowDateTime=0x9bda2d90, ftLastWriteTime.dwHighDateTime=0x1d5b8eb, nFileSizeHigh=0x0, nFileSizeLow=0x1560e, dwReserved0=0x0, dwReserved1=0x0, cFileName="hIB45OhCIGM_rvc7.wav", cAlternateFileName="HIB45O~1.WAV")) returned 1 [0055.046] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd44eb16f, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xd44eb16f, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd44eb16f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x0, dwReserved1=0x0, cFileName="id.dp", cAlternateFileName="")) returned 1 [0055.046] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3ec56a0, ftCreationTime.dwHighDateTime=0x1d5c41b, ftLastAccessTime.dwLowDateTime=0xe12ca6a0, ftLastAccessTime.dwHighDateTime=0x1d5c31f, ftLastWriteTime.dwLowDateTime=0xe12ca6a0, ftLastWriteTime.dwHighDateTime=0x1d5c31f, nFileSizeHigh=0x0, nFileSizeLow=0x9280, dwReserved0=0x0, dwReserved1=0x0, cFileName="J6aDIHYLiICtbUWWpQ-a.pps", cAlternateFileName="J6ADIH~1.PPS")) returned 1 [0055.047] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8384730, ftCreationTime.dwHighDateTime=0x1d5b609, ftLastAccessTime.dwLowDateTime=0xb2290bb0, ftLastAccessTime.dwHighDateTime=0x1d5b7ac, ftLastWriteTime.dwLowDateTime=0xb2290bb0, ftLastWriteTime.dwHighDateTime=0x1d5b7ac, nFileSizeHigh=0x0, nFileSizeLow=0x109a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="j86dCykR.csv", cAlternateFileName="")) returned 1 [0055.047] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca2bee60, ftCreationTime.dwHighDateTime=0x1d5b80d, ftLastAccessTime.dwLowDateTime=0x199db790, ftLastAccessTime.dwHighDateTime=0x1d5b862, ftLastWriteTime.dwLowDateTime=0x199db790, ftLastWriteTime.dwHighDateTime=0x1d5b862, nFileSizeHigh=0x0, nFileSizeLow=0x174c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="JPGBwvW6.mp4", cAlternateFileName="")) returned 1 [0055.047] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa679aa00, ftCreationTime.dwHighDateTime=0x1d5b8aa, ftLastAccessTime.dwLowDateTime=0x42305c70, ftLastAccessTime.dwHighDateTime=0x1d5bc32, ftLastWriteTime.dwLowDateTime=0x42305c70, ftLastWriteTime.dwHighDateTime=0x1d5bc32, nFileSizeHigh=0x0, nFileSizeLow=0x11730, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsitEZYllFX-rJ5-5Bo.jpg", cAlternateFileName="JSITEZ~1.JPG")) returned 1 [0055.047] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x201c1400, ftCreationTime.dwHighDateTime=0x1d5bcf8, ftLastAccessTime.dwLowDateTime=0xbba208a0, ftLastAccessTime.dwHighDateTime=0x1d5b85f, ftLastWriteTime.dwLowDateTime=0xbba208a0, ftLastWriteTime.dwHighDateTime=0x1d5b85f, nFileSizeHigh=0x0, nFileSizeLow=0x6eb5, dwReserved0=0x0, dwReserved1=0x0, cFileName="LYjoidXOr1cO RartGH6.doc", cAlternateFileName="LYJOID~1.DOC")) returned 1 [0055.047] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdaec6f80, ftCreationTime.dwHighDateTime=0x1d5c209, ftLastAccessTime.dwLowDateTime=0xa6e8bd60, ftLastAccessTime.dwHighDateTime=0x1d5bcb9, ftLastWriteTime.dwLowDateTime=0xa6e8bd60, ftLastWriteTime.dwHighDateTime=0x1d5bcb9, nFileSizeHigh=0x0, nFileSizeLow=0x15c63, dwReserved0=0x0, dwReserved1=0x0, cFileName="mfI3M 25waSS25or.mkv", cAlternateFileName="MFI3M2~1.MKV")) returned 1 [0055.047] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87a6c070, ftCreationTime.dwHighDateTime=0x1d5b67c, ftLastAccessTime.dwLowDateTime=0x563b39b0, ftLastAccessTime.dwHighDateTime=0x1d5ba11, ftLastWriteTime.dwLowDateTime=0x563b39b0, ftLastWriteTime.dwHighDateTime=0x1d5ba11, nFileSizeHigh=0x0, nFileSizeLow=0x1697d, dwReserved0=0x0, dwReserved1=0x0, cFileName="mUWrftnYC.wav", cAlternateFileName="MUWRFT~1.WAV")) returned 1 [0055.047] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44dc4490, ftCreationTime.dwHighDateTime=0x1d5c0fe, ftLastAccessTime.dwLowDateTime=0xb14ab520, ftLastAccessTime.dwHighDateTime=0x1d5c54b, ftLastWriteTime.dwLowDateTime=0xb14ab520, ftLastWriteTime.dwHighDateTime=0x1d5c54b, nFileSizeHigh=0x0, nFileSizeLow=0x1106e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NOXbRAUzS2JOG.mkv", cAlternateFileName="NOXBRA~1.MKV")) returned 1 [0055.047] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c770530, ftCreationTime.dwHighDateTime=0x1d5bffc, ftLastAccessTime.dwLowDateTime=0x2d920310, ftLastAccessTime.dwHighDateTime=0x1d5c5f9, ftLastWriteTime.dwLowDateTime=0x2d920310, ftLastWriteTime.dwHighDateTime=0x1d5c5f9, nFileSizeHigh=0x0, nFileSizeLow=0x1ff6, dwReserved0=0x0, dwReserved1=0x0, cFileName="OX8GrNcx.odt", cAlternateFileName="")) returned 1 [0055.048] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa70bd220, ftCreationTime.dwHighDateTime=0x1d5bfa0, ftLastAccessTime.dwLowDateTime=0x6daeeaa0, ftLastAccessTime.dwHighDateTime=0x1d5bcb5, ftLastWriteTime.dwLowDateTime=0x6daeeaa0, ftLastWriteTime.dwHighDateTime=0x1d5bcb5, nFileSizeHigh=0x0, nFileSizeLow=0xba8d, dwReserved0=0x0, dwReserved1=0x0, cFileName="P1QsDkkSO.gif", cAlternateFileName="P1QSDK~1.GIF")) returned 1 [0055.048] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7476a870, ftCreationTime.dwHighDateTime=0x1d5b650, ftLastAccessTime.dwLowDateTime=0xf148fd40, ftLastAccessTime.dwHighDateTime=0x1d5bc6c, ftLastWriteTime.dwLowDateTime=0xf148fd40, ftLastWriteTime.dwHighDateTime=0x1d5bc6c, nFileSizeHigh=0x0, nFileSizeLow=0x154f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="PKWu5Wtief7lpBuOI5Rq.bmp", cAlternateFileName="PKWU5W~1.BMP")) returned 1 [0055.048] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7178a40, ftCreationTime.dwHighDateTime=0x1d5b7b7, ftLastAccessTime.dwLowDateTime=0xa27f9b30, ftLastAccessTime.dwHighDateTime=0x1d5c00c, ftLastWriteTime.dwLowDateTime=0xa27f9b30, ftLastWriteTime.dwHighDateTime=0x1d5c00c, nFileSizeHigh=0x0, nFileSizeLow=0xa1b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="S0JM6N_kv2iT0Y.mp3", cAlternateFileName="S0JM6N~1.MP3")) returned 1 [0055.048] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea07ee0, ftCreationTime.dwHighDateTime=0x1d5c385, ftLastAccessTime.dwLowDateTime=0x86109470, ftLastAccessTime.dwHighDateTime=0x1d5b69a, ftLastWriteTime.dwLowDateTime=0x86109470, ftLastWriteTime.dwHighDateTime=0x1d5b69a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="URfyazp6YCOme0Ken", cAlternateFileName="URFYAZ~1")) returned 1 [0055.048] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5297bf00, ftCreationTime.dwHighDateTime=0x1d5c497, ftLastAccessTime.dwLowDateTime=0xca69fe50, ftLastAccessTime.dwHighDateTime=0x1d5b9b9, ftLastWriteTime.dwLowDateTime=0xca69fe50, ftLastWriteTime.dwHighDateTime=0x1d5b9b9, nFileSizeHigh=0x0, nFileSizeLow=0x12bf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="VfW_67RL 5rflPX.gif", cAlternateFileName="VFW_67~1.GIF")) returned 1 [0055.048] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb05a3b50, ftCreationTime.dwHighDateTime=0x1d5ba6e, ftLastAccessTime.dwLowDateTime=0x79528a00, ftLastAccessTime.dwHighDateTime=0x1d5c45e, ftLastWriteTime.dwLowDateTime=0x79528a00, ftLastWriteTime.dwHighDateTime=0x1d5c45e, nFileSizeHigh=0x0, nFileSizeLow=0x889c, dwReserved0=0x0, dwReserved1=0x0, cFileName="W3XiYmUciw.mp4", cAlternateFileName="W3XIYM~1.MP4")) returned 1 [0055.048] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe254260, ftCreationTime.dwHighDateTime=0x1d5bb23, ftLastAccessTime.dwLowDateTime=0x61585b70, ftLastAccessTime.dwHighDateTime=0x1d5c1f0, ftLastWriteTime.dwLowDateTime=0x61585b70, ftLastWriteTime.dwHighDateTime=0x1d5c1f0, nFileSizeHigh=0x0, nFileSizeLow=0x7cea, dwReserved0=0x0, dwReserved1=0x0, cFileName="xkXLYODV5dZ9R.pdf", cAlternateFileName="XKXLYO~1.PDF")) returned 1 [0055.048] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e5f0 | out: lpFindFileData=0xf1e5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe254260, ftCreationTime.dwHighDateTime=0x1d5bb23, ftLastAccessTime.dwLowDateTime=0x61585b70, ftLastAccessTime.dwHighDateTime=0x1d5c1f0, ftLastWriteTime.dwLowDateTime=0x61585b70, ftLastWriteTime.dwHighDateTime=0x1d5c1f0, nFileSizeHigh=0x0, nFileSizeLow=0x7cea, dwReserved0=0x0, dwReserved1=0x0, cFileName="xkXLYODV5dZ9R.pdf", cAlternateFileName="XKXLYO~1.PDF")) returned 0 [0055.048] FindClose (in: hFindFile=0x10b3290 | out: hFindFile=0x10b3290) returned 1 [0055.049] SetErrorMode (uMode=0x0) returned 0x1 [0055.386] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", lpFilePart=0x0) returned 0x28 [0055.387] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", lpFilePart=0x0) returned 0x28 [0055.390] SetErrorMode (uMode=0x1) returned 0x0 [0055.390] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\9kqgbprncb3j.wav"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8461af30, ftCreationTime.dwHighDateTime=0x1d5c480, ftLastAccessTime.dwLowDateTime=0xa6fcf660, ftLastAccessTime.dwHighDateTime=0x1d5ba00, ftLastWriteTime.dwLowDateTime=0xa6fcf660, ftLastWriteTime.dwHighDateTime=0x1d5ba00, nFileSizeHigh=0x0, nFileSizeLow=0x61a6)) returned 1 [0055.390] SetErrorMode (uMode=0x0) returned 0x1 [0055.466] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", lpFilePart=0x0) returned 0x28 [0055.467] SetErrorMode (uMode=0x1) returned 0x0 [0055.467] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\9kqgbprncb3j.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x370 [0055.467] GetFileType (hFile=0x370) returned 0x1 [0055.467] SetErrorMode (uMode=0x0) returned 0x1 [0055.467] GetFileType (hFile=0x370) returned 0x1 [0055.468] SetFilePointer (in: hFile=0x370, lDistanceToMove=-24921, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x4d [0055.470] ReadFile (in: hFile=0x370, lpBuffer=0x3082740, nNumberOfBytesToRead=0x6159, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x3082740*, lpNumberOfBytesRead=0xf1e738*=0x6159, lpOverlapped=0x0) returned 1 [0055.471] CloseHandle (hObject=0x370) returned 1 [0055.471] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", lpFilePart=0x0) returned 0x28 [0055.471] SetErrorMode (uMode=0x1) returned 0x0 [0055.471] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\9kqgbprncb3j.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x370 [0055.471] GetFileType (hFile=0x370) returned 0x1 [0055.471] SetErrorMode (uMode=0x0) returned 0x1 [0055.471] GetFileType (hFile=0x370) returned 0x1 [0055.472] GetFileSize (in: hFile=0x370, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x61a6 [0055.525] SetFilePointer (in: hFile=0x370, lDistanceToMove=77, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x4d [0055.526] SetEndOfFile (hFile=0x370) returned 1 [0055.528] SetFilePointer (in: hFile=0x370, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0055.528] CloseHandle (hObject=0x370) returned 1 [0055.572] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", lpFilePart=0x0) returned 0x28 [0055.572] SetErrorMode (uMode=0x1) returned 0x0 [0055.572] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\9kqgbprncb3j.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x370 [0055.572] GetFileType (hFile=0x370) returned 0x1 [0055.572] SetErrorMode (uMode=0x0) returned 0x1 [0055.572] GetFileType (hFile=0x370) returned 0x1 [0055.572] SetFilePointer (in: hFile=0x370, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x4d [0055.572] WriteFile (in: hFile=0x370, lpBuffer=0x30dc7f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30dc7f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.573] WriteFile (in: hFile=0x370, lpBuffer=0x30dc7f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30dc7f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.574] WriteFile (in: hFile=0x370, lpBuffer=0x30dc7f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30dc7f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.574] WriteFile (in: hFile=0x370, lpBuffer=0x30dc7f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30dc7f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.574] WriteFile (in: hFile=0x370, lpBuffer=0x30dc7f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30dc7f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.574] WriteFile (in: hFile=0x370, lpBuffer=0x30dc7f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30dc7f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.574] WriteFile (in: hFile=0x370, lpBuffer=0x30dc7f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30dc7f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.575] WriteFile (in: hFile=0x370, lpBuffer=0x30dc7f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30dc7f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.575] WriteFile (in: hFile=0x370, lpBuffer=0x30dc7f0*, nNumberOfBytesToWrite=0xe13, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30dc7f0*, lpNumberOfBytesWritten=0xf1e6d8*=0xe13, lpOverlapped=0x0) returned 1 [0055.575] CloseHandle (hObject=0x370) returned 1 [0055.577] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", lpFilePart=0x0) returned 0x28 [0055.577] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x58 [0055.577] SetErrorMode (uMode=0x1) returned 0x0 [0055.577] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\9kqgbprncb3j.wav"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8461af30, ftCreationTime.dwHighDateTime=0x1d5c480, ftLastAccessTime.dwLowDateTime=0xa6fcf660, ftLastAccessTime.dwHighDateTime=0x1d5ba00, ftLastWriteTime.dwLowDateTime=0xd72ec993, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x8e60)) returned 1 [0055.577] SetErrorMode (uMode=0x0) returned 0x1 [0055.578] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\9kqgbprncb3j.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\9kqgbprncb3j.wav[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0055.578] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav", lpFilePart=0x0) returned 0x28 [0055.579] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\9kqgbPRnCB3J.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\9kqgbprncb3j.wav")) returned 0 [0055.580] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", lpFilePart=0x0) returned 0x27 [0055.580] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", lpFilePart=0x0) returned 0x27 [0055.580] SetErrorMode (uMode=0x1) returned 0x0 [0055.580] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\ajjjomlxtrw.swf"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6da183a0, ftCreationTime.dwHighDateTime=0x1d5b653, ftLastAccessTime.dwLowDateTime=0xc750c5f0, ftLastAccessTime.dwHighDateTime=0x1d5c305, ftLastWriteTime.dwLowDateTime=0xc750c5f0, ftLastWriteTime.dwHighDateTime=0x1d5c305, nFileSizeHigh=0x0, nFileSizeLow=0xac0a)) returned 1 [0055.580] SetErrorMode (uMode=0x0) returned 0x1 [0055.581] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", lpFilePart=0x0) returned 0x27 [0055.581] SetErrorMode (uMode=0x1) returned 0x0 [0055.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\ajjjomlxtrw.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x370 [0055.581] GetFileType (hFile=0x370) returned 0x1 [0055.581] SetErrorMode (uMode=0x0) returned 0x1 [0055.614] GetFileType (hFile=0x370) returned 0x1 [0055.614] SetFilePointer (in: hFile=0x370, lDistanceToMove=-43992, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x32 [0055.614] ReadFile (in: hFile=0x370, lpBuffer=0x30de768, nNumberOfBytesToRead=0xabd8, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x30de768*, lpNumberOfBytesRead=0xf1e738*=0xabd8, lpOverlapped=0x0) returned 1 [0055.615] CloseHandle (hObject=0x370) returned 1 [0055.615] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", lpFilePart=0x0) returned 0x27 [0055.615] SetErrorMode (uMode=0x1) returned 0x0 [0055.615] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\ajjjomlxtrw.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x370 [0055.615] GetFileType (hFile=0x370) returned 0x1 [0055.615] SetErrorMode (uMode=0x0) returned 0x1 [0055.615] GetFileType (hFile=0x370) returned 0x1 [0055.615] GetFileSize (in: hFile=0x370, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0xac0a [0055.615] SetFilePointer (in: hFile=0x370, lDistanceToMove=50, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x32 [0055.615] SetEndOfFile (hFile=0x370) returned 1 [0055.618] SetFilePointer (in: hFile=0x370, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0055.618] CloseHandle (hObject=0x370) returned 1 [0055.640] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", lpFilePart=0x0) returned 0x27 [0055.640] SetErrorMode (uMode=0x1) returned 0x0 [0055.640] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\ajjjomlxtrw.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x370 [0055.640] GetFileType (hFile=0x370) returned 0x1 [0055.640] SetErrorMode (uMode=0x0) returned 0x1 [0055.640] GetFileType (hFile=0x370) returned 0x1 [0055.640] SetFilePointer (in: hFile=0x370, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x32 [0055.641] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.642] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.642] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.642] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.642] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.643] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.643] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.643] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.643] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.644] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.644] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.644] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.645] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.645] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.645] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.645] WriteFile (in: hFile=0x370, lpBuffer=0x31418f8*, nNumberOfBytesToWrite=0xabf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31418f8*, lpNumberOfBytesWritten=0xf1e6d8*=0xabf, lpOverlapped=0x0) returned 1 [0055.645] CloseHandle (hObject=0x370) returned 1 [0055.647] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", lpFilePart=0x0) returned 0x27 [0055.647] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x57 [0055.647] SetErrorMode (uMode=0x1) returned 0x0 [0055.647] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\ajjjomlxtrw.swf"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6da183a0, ftCreationTime.dwHighDateTime=0x1d5b653, ftLastAccessTime.dwLowDateTime=0xc750c5f0, ftLastAccessTime.dwHighDateTime=0x1d5c305, ftLastWriteTime.dwLowDateTime=0xd73ab4b1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xfaf1)) returned 1 [0055.647] SetErrorMode (uMode=0x0) returned 0x1 [0055.647] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\ajjjomlxtrw.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\ajjjomlxtrw.swf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0055.866] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf", lpFilePart=0x0) returned 0x27 [0055.866] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aJjJomlXtRW.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\ajjjomlxtrw.swf")) returned 0 [0055.866] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", lpFilePart=0x0) returned 0x24 [0055.867] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", lpFilePart=0x0) returned 0x24 [0055.867] SetErrorMode (uMode=0x1) returned 0x0 [0055.867] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\an6-pxxi.odt"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5958240, ftCreationTime.dwHighDateTime=0x1d5ba70, ftLastAccessTime.dwLowDateTime=0x27d0bf0, ftLastAccessTime.dwHighDateTime=0x1d5c551, ftLastWriteTime.dwLowDateTime=0x27d0bf0, ftLastWriteTime.dwHighDateTime=0x1d5c551, nFileSizeHigh=0x0, nFileSizeLow=0x1e7d)) returned 1 [0055.867] SetErrorMode (uMode=0x0) returned 0x1 [0055.867] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", lpFilePart=0x0) returned 0x24 [0055.867] SetErrorMode (uMode=0x1) returned 0x0 [0055.867] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\an6-pxxi.odt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x370 [0055.867] GetFileType (hFile=0x370) returned 0x1 [0055.867] SetErrorMode (uMode=0x0) returned 0x1 [0055.867] GetFileType (hFile=0x370) returned 0x1 [0055.868] SetFilePointer (in: hFile=0x370, lDistanceToMove=-7722, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x53 [0055.868] ReadFile (in: hFile=0x370, lpBuffer=0x3143850, nNumberOfBytesToRead=0x1e2a, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x3143850*, lpNumberOfBytesRead=0xf1e738*=0x1e2a, lpOverlapped=0x0) returned 1 [0055.868] CloseHandle (hObject=0x370) returned 1 [0055.868] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", lpFilePart=0x0) returned 0x24 [0055.868] SetErrorMode (uMode=0x1) returned 0x0 [0055.868] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\an6-pxxi.odt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x370 [0055.868] GetFileType (hFile=0x370) returned 0x1 [0055.868] SetErrorMode (uMode=0x0) returned 0x1 [0055.868] GetFileType (hFile=0x370) returned 0x1 [0055.868] GetFileSize (in: hFile=0x370, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x1e7d [0055.869] SetFilePointer (in: hFile=0x370, lDistanceToMove=83, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x53 [0055.869] SetEndOfFile (hFile=0x370) returned 1 [0055.871] SetFilePointer (in: hFile=0x370, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0055.871] CloseHandle (hObject=0x370) returned 1 [0055.875] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", lpFilePart=0x0) returned 0x24 [0055.875] SetErrorMode (uMode=0x1) returned 0x0 [0055.875] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\an6-pxxi.odt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x370 [0055.875] GetFileType (hFile=0x370) returned 0x1 [0055.875] SetErrorMode (uMode=0x0) returned 0x1 [0055.875] GetFileType (hFile=0x370) returned 0x1 [0055.875] SetFilePointer (in: hFile=0x370, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x53 [0055.875] WriteFile (in: hFile=0x370, lpBuffer=0x3163aa8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3163aa8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.876] WriteFile (in: hFile=0x370, lpBuffer=0x3163aa8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3163aa8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0055.877] WriteFile (in: hFile=0x370, lpBuffer=0x3163aa8*, nNumberOfBytesToWrite=0xc13, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3163aa8*, lpNumberOfBytesWritten=0xf1e6d8*=0xc13, lpOverlapped=0x0) returned 1 [0055.877] CloseHandle (hObject=0x370) returned 1 [0055.878] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", lpFilePart=0x0) returned 0x24 [0055.879] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x54 [0055.879] SetErrorMode (uMode=0x1) returned 0x0 [0055.879] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\an6-pxxi.odt"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5958240, ftCreationTime.dwHighDateTime=0x1d5ba70, ftLastAccessTime.dwLowDateTime=0x27d0bf0, ftLastAccessTime.dwHighDateTime=0x1d5c551, ftLastWriteTime.dwLowDateTime=0xd75c1309, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2c66)) returned 1 [0055.879] SetErrorMode (uMode=0x0) returned 0x1 [0055.879] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\an6-pxxi.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\an6-pxxi.odt[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0055.880] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt", lpFilePart=0x0) returned 0x24 [0055.880] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AN6-Pxxi.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\an6-pxxi.odt")) returned 0 [0055.880] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", lpFilePart=0x0) returned 0x30 [0055.880] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", lpFilePart=0x0) returned 0x30 [0055.880] SetErrorMode (uMode=0x1) returned 0x0 [0055.880] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\aohiwgj_sdnw 3psumte.gif"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c9f2a0, ftCreationTime.dwHighDateTime=0x1d5c588, ftLastAccessTime.dwLowDateTime=0xf92d8ae0, ftLastAccessTime.dwHighDateTime=0x1d5c3eb, ftLastWriteTime.dwLowDateTime=0xf92d8ae0, ftLastWriteTime.dwHighDateTime=0x1d5c3eb, nFileSizeHigh=0x0, nFileSizeLow=0x163c5)) returned 1 [0055.880] SetErrorMode (uMode=0x0) returned 0x1 [0055.882] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", lpFilePart=0x0) returned 0x30 [0055.882] SetErrorMode (uMode=0x1) returned 0x0 [0055.882] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\aohiwgj_sdnw 3psumte.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x370 [0055.882] GetFileType (hFile=0x370) returned 0x1 [0055.882] SetErrorMode (uMode=0x0) returned 0x1 [0055.882] GetFileType (hFile=0x370) returned 0x1 [0055.882] SetFilePointer (in: hFile=0x370, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x69c6 [0055.882] ReadFile (in: hFile=0x370, lpBuffer=0x3165a48, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x3165a48*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0055.883] CloseHandle (hObject=0x370) returned 1 [0055.883] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", lpFilePart=0x0) returned 0x30 [0055.883] SetErrorMode (uMode=0x1) returned 0x0 [0055.883] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\aohiwgj_sdnw 3psumte.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x370 [0055.883] GetFileType (hFile=0x370) returned 0x1 [0055.883] SetErrorMode (uMode=0x0) returned 0x1 [0055.883] GetFileType (hFile=0x370) returned 0x1 [0055.883] GetFileSize (in: hFile=0x370, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x163c5 [0055.883] SetFilePointer (in: hFile=0x370, lDistanceToMove=27078, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x69c6 [0055.883] SetEndOfFile (hFile=0x370) returned 1 [0055.886] SetFilePointer (in: hFile=0x370, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0055.886] CloseHandle (hObject=0x370) returned 1 [0056.030] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", lpFilePart=0x0) returned 0x30 [0056.030] SetErrorMode (uMode=0x1) returned 0x0 [0056.030] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\aohiwgj_sdnw 3psumte.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0056.031] GetFileType (hFile=0x30c) returned 0x1 [0056.031] SetErrorMode (uMode=0x0) returned 0x1 [0056.031] GetFileType (hFile=0x30c) returned 0x1 [0056.031] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x69c6 [0056.031] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.032] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.032] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.032] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.033] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.033] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.033] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.033] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.033] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.034] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.034] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.034] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.034] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.071] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.071] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.071] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.071] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.071] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.072] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.072] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.072] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.072] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.073] WriteFile (in: hFile=0x30c, lpBuffer=0x305d900*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x305d900*, lpNumberOfBytesWritten=0xf1e6d8*=0xcbf, lpOverlapped=0x0) returned 1 [0056.073] CloseHandle (hObject=0x30c) returned 1 [0056.076] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", lpFilePart=0x0) returned 0x30 [0056.076] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x60 [0056.076] SetErrorMode (uMode=0x1) returned 0x0 [0056.076] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\aohiwgj_sdnw 3psumte.gif"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c9f2a0, ftCreationTime.dwHighDateTime=0x1d5c588, ftLastAccessTime.dwLowDateTime=0xf92d8ae0, ftLastAccessTime.dwHighDateTime=0x1d5c3eb, ftLastWriteTime.dwLowDateTime=0xd77b1237, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1d685)) returned 1 [0056.076] SetErrorMode (uMode=0x0) returned 0x1 [0056.076] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\aohiwgj_sdnw 3psumte.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\aohiwgj_sdnw 3psumte.gif[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0056.077] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif", lpFilePart=0x0) returned 0x30 [0056.077] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AOHiWgJ_sDNW 3pSUMTE.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\aohiwgj_sdnw 3psumte.gif")) returned 0 [0056.077] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", lpFilePart=0x0) returned 0x20 [0056.077] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", lpFilePart=0x0) returned 0x20 [0056.077] SetErrorMode (uMode=0x1) returned 0x0 [0056.077] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\awnu.m4a"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bba78e0, ftCreationTime.dwHighDateTime=0x1d5c2c9, ftLastAccessTime.dwLowDateTime=0xa6cf2780, ftLastAccessTime.dwHighDateTime=0x1d5b6fe, ftLastWriteTime.dwLowDateTime=0xa6cf2780, ftLastWriteTime.dwHighDateTime=0x1d5b6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14355)) returned 1 [0056.077] SetErrorMode (uMode=0x0) returned 0x1 [0056.077] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", lpFilePart=0x0) returned 0x20 [0056.077] SetErrorMode (uMode=0x1) returned 0x0 [0056.077] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\awnu.m4a"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.078] GetFileType (hFile=0x30c) returned 0x1 [0056.078] SetErrorMode (uMode=0x0) returned 0x1 [0056.078] GetFileType (hFile=0x30c) returned 0x1 [0056.078] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x4956 [0056.078] ReadFile (in: hFile=0x30c, lpBuffer=0x305f8a0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x305f8a0*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0056.078] CloseHandle (hObject=0x30c) returned 1 [0056.078] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", lpFilePart=0x0) returned 0x20 [0056.078] SetErrorMode (uMode=0x1) returned 0x0 [0056.078] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\awnu.m4a"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.079] GetFileType (hFile=0x30c) returned 0x1 [0056.079] SetErrorMode (uMode=0x0) returned 0x1 [0056.079] GetFileType (hFile=0x30c) returned 0x1 [0056.079] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x14355 [0056.079] SetFilePointer (in: hFile=0x30c, lDistanceToMove=18774, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x4956 [0056.079] SetEndOfFile (hFile=0x30c) returned 1 [0056.081] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0056.081] CloseHandle (hObject=0x30c) returned 1 [0056.102] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", lpFilePart=0x0) returned 0x20 [0056.102] SetErrorMode (uMode=0x1) returned 0x0 [0056.102] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\awnu.m4a"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0056.103] GetFileType (hFile=0x30c) returned 0x1 [0056.103] SetErrorMode (uMode=0x0) returned 0x1 [0056.103] GetFileType (hFile=0x30c) returned 0x1 [0056.103] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x4956 [0056.103] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.104] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.104] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.104] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.105] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.105] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.105] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.105] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.105] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.106] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.106] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.106] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.106] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.106] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.107] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.107] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.107] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.107] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.107] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.108] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.108] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.108] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.108] WriteFile (in: hFile=0x30c, lpBuffer=0x30e19e0*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30e19e0*, lpNumberOfBytesWritten=0xf1e6d8*=0xcbf, lpOverlapped=0x0) returned 1 [0056.108] CloseHandle (hObject=0x30c) returned 1 [0056.111] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", lpFilePart=0x0) returned 0x20 [0056.111] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x50 [0056.111] SetErrorMode (uMode=0x1) returned 0x0 [0056.111] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\awnu.m4a"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bba78e0, ftCreationTime.dwHighDateTime=0x1d5c2c9, ftLastAccessTime.dwLowDateTime=0xa6cf2780, ftLastAccessTime.dwHighDateTime=0x1d5b6fe, ftLastWriteTime.dwLowDateTime=0xd77fd99d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b615)) returned 1 [0056.111] SetErrorMode (uMode=0x0) returned 0x1 [0056.111] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\awnu.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\awnu.m4a[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0056.112] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a", lpFilePart=0x0) returned 0x20 [0056.112] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aWNU.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\awnu.m4a")) returned 0 [0056.112] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", lpFilePart=0x0) returned 0x1f [0056.112] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", lpFilePart=0x0) returned 0x1f [0056.112] SetErrorMode (uMode=0x1) returned 0x0 [0056.112] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\d8u.mp3"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a8e60a0, ftCreationTime.dwHighDateTime=0x1d5b6fe, ftLastAccessTime.dwLowDateTime=0x61ef4ce0, ftLastAccessTime.dwHighDateTime=0x1d5c143, ftLastWriteTime.dwLowDateTime=0x61ef4ce0, ftLastWriteTime.dwHighDateTime=0x1d5c143, nFileSizeHigh=0x0, nFileSizeLow=0x4307)) returned 1 [0056.112] SetErrorMode (uMode=0x0) returned 0x1 [0056.112] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", lpFilePart=0x0) returned 0x1f [0056.112] SetErrorMode (uMode=0x1) returned 0x0 [0056.113] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\d8u.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.162] GetFileType (hFile=0x30c) returned 0x1 [0056.162] SetErrorMode (uMode=0x0) returned 0x1 [0056.162] GetFileType (hFile=0x30c) returned 0x1 [0056.162] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-17082, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x4d [0056.162] ReadFile (in: hFile=0x30c, lpBuffer=0x30e38e8, nNumberOfBytesToRead=0x42ba, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x30e38e8*, lpNumberOfBytesRead=0xf1e738*=0x42ba, lpOverlapped=0x0) returned 1 [0056.162] CloseHandle (hObject=0x30c) returned 1 [0056.162] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", lpFilePart=0x0) returned 0x1f [0056.162] SetErrorMode (uMode=0x1) returned 0x0 [0056.162] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\d8u.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.163] GetFileType (hFile=0x30c) returned 0x1 [0056.163] SetErrorMode (uMode=0x0) returned 0x1 [0056.163] GetFileType (hFile=0x30c) returned 0x1 [0056.163] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x4307 [0056.163] SetFilePointer (in: hFile=0x30c, lDistanceToMove=77, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x4d [0056.163] SetEndOfFile (hFile=0x30c) returned 1 [0056.165] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0056.165] CloseHandle (hObject=0x30c) returned 1 [0056.168] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", lpFilePart=0x0) returned 0x1f [0056.168] SetErrorMode (uMode=0x1) returned 0x0 [0056.168] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\d8u.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0056.168] GetFileType (hFile=0x30c) returned 0x1 [0056.168] SetErrorMode (uMode=0x0) returned 0x1 [0056.168] GetFileType (hFile=0x30c) returned 0x1 [0056.168] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x4d [0056.168] WriteFile (in: hFile=0x30c, lpBuffer=0x3127108*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3127108*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.169] WriteFile (in: hFile=0x30c, lpBuffer=0x3127108*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3127108*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.169] WriteFile (in: hFile=0x30c, lpBuffer=0x3127108*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3127108*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.170] WriteFile (in: hFile=0x30c, lpBuffer=0x3127108*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3127108*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.170] WriteFile (in: hFile=0x30c, lpBuffer=0x3127108*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3127108*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.170] WriteFile (in: hFile=0x30c, lpBuffer=0x3127108*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6a8, lpOverlapped=0x0 | out: lpBuffer=0x3127108*, lpNumberOfBytesWritten=0xf1e6a8*=0x1000, lpOverlapped=0x0) returned 1 [0056.170] WriteFile (in: hFile=0x30c, lpBuffer=0x3127108*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3127108*, lpNumberOfBytesWritten=0xf1e6d8*=0x16b, lpOverlapped=0x0) returned 1 [0056.170] CloseHandle (hObject=0x30c) returned 1 [0056.172] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", lpFilePart=0x0) returned 0x1f [0056.172] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x4f [0056.172] SetErrorMode (uMode=0x1) returned 0x0 [0056.172] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\d8u.mp3"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a8e60a0, ftCreationTime.dwHighDateTime=0x1d5b6fe, ftLastAccessTime.dwLowDateTime=0x61ef4ce0, ftLastAccessTime.dwHighDateTime=0x1d5c143, ftLastWriteTime.dwLowDateTime=0xd7896285, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x61b8)) returned 1 [0056.172] SetErrorMode (uMode=0x0) returned 0x1 [0056.172] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\d8u.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\d8u.mp3[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0056.174] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3", lpFilePart=0x0) returned 0x1f [0056.174] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\d8U.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\d8u.mp3")) returned 0 [0056.174] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", lpFilePart=0x0) returned 0x23 [0056.174] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", lpFilePart=0x0) returned 0x23 [0056.174] SetErrorMode (uMode=0x1) returned 0x0 [0056.174] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini" (normalized: "c:\\users\\fd1hvy\\desktop\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a)) returned 1 [0056.174] SetErrorMode (uMode=0x0) returned 0x1 [0056.174] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", lpFilePart=0x0) returned 0x23 [0056.174] SetErrorMode (uMode=0x1) returned 0x0 [0056.174] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini" (normalized: "c:\\users\\fd1hvy\\desktop\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.175] GetFileType (hFile=0x30c) returned 0x1 [0056.175] SetErrorMode (uMode=0x0) returned 0x1 [0056.175] GetFileType (hFile=0x30c) returned 0x1 [0056.175] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-234, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x30 [0056.175] ReadFile (in: hFile=0x30c, lpBuffer=0x3129418, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x3129418*, lpNumberOfBytesRead=0xf1e738*=0xea, lpOverlapped=0x0) returned 1 [0056.175] CloseHandle (hObject=0x30c) returned 1 [0056.175] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", lpFilePart=0x0) returned 0x23 [0056.175] SetErrorMode (uMode=0x1) returned 0x0 [0056.175] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini" (normalized: "c:\\users\\fd1hvy\\desktop\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.175] GetFileType (hFile=0x30c) returned 0x1 [0056.175] SetErrorMode (uMode=0x0) returned 0x1 [0056.176] GetFileType (hFile=0x30c) returned 0x1 [0056.176] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x11a [0056.176] SetFilePointer (in: hFile=0x30c, lDistanceToMove=48, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x30 [0056.176] SetEndOfFile (hFile=0x30c) returned 1 [0056.178] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0056.178] CloseHandle (hObject=0x30c) returned 1 [0056.178] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", lpFilePart=0x0) returned 0x23 [0056.178] SetErrorMode (uMode=0x1) returned 0x0 [0056.178] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini" (normalized: "c:\\users\\fd1hvy\\desktop\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0056.178] GetFileType (hFile=0x30c) returned 0x1 [0056.178] SetErrorMode (uMode=0x0) returned 0x1 [0056.178] GetFileType (hFile=0x30c) returned 0x1 [0056.178] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x30 [0056.178] WriteFile (in: hFile=0x30c, lpBuffer=0x312c378*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x312c378*, lpNumberOfBytesWritten=0xf1e6d8*=0x16b, lpOverlapped=0x0) returned 1 [0056.179] CloseHandle (hObject=0x30c) returned 1 [0056.180] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", lpFilePart=0x0) returned 0x23 [0056.180] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x53 [0056.180] SetErrorMode (uMode=0x1) returned 0x0 [0056.180] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini" (normalized: "c:\\users\\fd1hvy\\desktop\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xd78bc2ef, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x19b)) returned 1 [0056.180] SetErrorMode (uMode=0x0) returned 0x1 [0056.180] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini" (normalized: "c:\\users\\fd1hvy\\desktop\\desktop.ini"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\desktop.ini[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0056.180] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", lpFilePart=0x0) returned 0x23 [0056.180] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini" (normalized: "c:\\users\\fd1hvy\\desktop\\desktop.ini")) returned 0 [0056.181] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", lpFilePart=0x0) returned 0x23 [0056.181] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", lpFilePart=0x0) returned 0x23 [0056.181] SetErrorMode (uMode=0x1) returned 0x0 [0056.181] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\dp_main.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5be4880, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xb5be4880, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xb3f48500, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x9000)) returned 1 [0056.181] SetErrorMode (uMode=0x0) returned 0x1 [0056.181] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", lpFilePart=0x0) returned 0x23 [0056.181] SetErrorMode (uMode=0x1) returned 0x0 [0056.181] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\dp_main.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.181] GetFileType (hFile=0x30c) returned 0x1 [0056.181] SetErrorMode (uMode=0x0) returned 0x1 [0056.181] GetFileType (hFile=0x30c) returned 0x1 [0056.181] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-36855, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x9 [0056.181] ReadFile (in: hFile=0x30c, lpBuffer=0x312e298, nNumberOfBytesToRead=0x8ff7, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x312e298*, lpNumberOfBytesRead=0xf1e738*=0x8ff7, lpOverlapped=0x0) returned 1 [0056.181] CloseHandle (hObject=0x30c) returned 1 [0056.181] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe", lpFilePart=0x0) returned 0x23 [0056.181] SetErrorMode (uMode=0x1) returned 0x0 [0056.182] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\DP_Main.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\dp_main.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0056.477] SetErrorMode (uMode=0x0) returned 0x1 [0056.478] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", lpFilePart=0x0) returned 0x27 [0056.478] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", lpFilePart=0x0) returned 0x27 [0056.478] SetErrorMode (uMode=0x1) returned 0x0 [0056.478] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png" (normalized: "c:\\users\\fd1hvy\\desktop\\fhxozoc_qke.png"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb321130, ftCreationTime.dwHighDateTime=0x1d5bc6f, ftLastAccessTime.dwLowDateTime=0x2df41ef0, ftLastAccessTime.dwHighDateTime=0x1d5b650, ftLastWriteTime.dwLowDateTime=0x2df41ef0, ftLastWriteTime.dwHighDateTime=0x1d5b650, nFileSizeHigh=0x0, nFileSizeLow=0x7021)) returned 1 [0056.479] SetErrorMode (uMode=0x0) returned 0x1 [0056.479] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", lpFilePart=0x0) returned 0x27 [0056.479] SetErrorMode (uMode=0x1) returned 0x0 [0056.479] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png" (normalized: "c:\\users\\fd1hvy\\desktop\\fhxozoc_qke.png"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.479] GetFileType (hFile=0x30c) returned 0x1 [0056.479] SetErrorMode (uMode=0x0) returned 0x1 [0056.479] GetFileType (hFile=0x30c) returned 0x1 [0056.479] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-28665, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x28 [0056.479] ReadFile (in: hFile=0x30c, lpBuffer=0x3157c30, nNumberOfBytesToRead=0x6ff9, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x3157c30*, lpNumberOfBytesRead=0xf1e738*=0x6ff9, lpOverlapped=0x0) returned 1 [0056.480] CloseHandle (hObject=0x30c) returned 1 [0056.480] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", lpFilePart=0x0) returned 0x27 [0056.480] SetErrorMode (uMode=0x1) returned 0x0 [0056.480] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png" (normalized: "c:\\users\\fd1hvy\\desktop\\fhxozoc_qke.png"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.480] GetFileType (hFile=0x30c) returned 0x1 [0056.480] SetErrorMode (uMode=0x0) returned 0x1 [0056.480] GetFileType (hFile=0x30c) returned 0x1 [0056.480] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x7021 [0056.480] SetFilePointer (in: hFile=0x30c, lDistanceToMove=40, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x28 [0056.480] SetEndOfFile (hFile=0x30c) returned 1 [0056.567] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0056.567] CloseHandle (hObject=0x30c) returned 1 [0056.661] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", lpFilePart=0x0) returned 0x27 [0056.661] SetErrorMode (uMode=0x1) returned 0x0 [0056.661] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png" (normalized: "c:\\users\\fd1hvy\\desktop\\fhxozoc_qke.png"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0056.661] GetFileType (hFile=0x30c) returned 0x1 [0056.661] SetErrorMode (uMode=0x0) returned 0x1 [0056.661] GetFileType (hFile=0x30c) returned 0x1 [0056.661] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x28 [0056.661] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.662] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.663] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.663] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.663] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.663] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.664] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.664] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.664] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.664] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6a8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6a8*=0x1000, lpOverlapped=0x0) returned 1 [0056.664] WriteFile (in: hFile=0x30c, lpBuffer=0x31bc920*, nNumberOfBytesToWrite=0x36b, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31bc920*, lpNumberOfBytesWritten=0xf1e6d8*=0x36b, lpOverlapped=0x0) returned 1 [0056.665] CloseHandle (hObject=0x30c) returned 1 [0056.717] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", lpFilePart=0x0) returned 0x27 [0056.717] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x57 [0056.717] SetErrorMode (uMode=0x1) returned 0x0 [0056.718] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png" (normalized: "c:\\users\\fd1hvy\\desktop\\fhxozoc_qke.png"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb321130, ftCreationTime.dwHighDateTime=0x1d5bc6f, ftLastAccessTime.dwLowDateTime=0x2df41ef0, ftLastAccessTime.dwHighDateTime=0x1d5b650, ftLastWriteTime.dwLowDateTime=0xd7d5ae49, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xa393)) returned 1 [0056.718] SetErrorMode (uMode=0x0) returned 0x1 [0056.718] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png" (normalized: "c:\\users\\fd1hvy\\desktop\\fhxozoc_qke.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\fhxozoc_qke.png[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0056.794] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png", lpFilePart=0x0) returned 0x27 [0056.795] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\FHxozOc_QKE.png" (normalized: "c:\\users\\fd1hvy\\desktop\\fhxozoc_qke.png")) returned 0 [0056.795] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", lpFilePart=0x0) returned 0x2b [0056.795] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", lpFilePart=0x0) returned 0x2b [0056.795] SetErrorMode (uMode=0x1) returned 0x0 [0056.795] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\hamwlsfxqw auyw.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddb61640, ftCreationTime.dwHighDateTime=0x1d5b7d6, ftLastAccessTime.dwLowDateTime=0xe32d29b0, ftLastAccessTime.dwHighDateTime=0x1d5c1ef, ftLastWriteTime.dwLowDateTime=0xe32d29b0, ftLastWriteTime.dwHighDateTime=0x1d5c1ef, nFileSizeHigh=0x0, nFileSizeLow=0x8ba5)) returned 1 [0056.795] SetErrorMode (uMode=0x0) returned 0x1 [0056.796] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", lpFilePart=0x0) returned 0x2b [0056.796] SetErrorMode (uMode=0x1) returned 0x0 [0056.796] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\hamwlsfxqw auyw.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.796] GetFileType (hFile=0x30c) returned 0x1 [0056.796] SetErrorMode (uMode=0x0) returned 0x1 [0056.796] GetFileType (hFile=0x30c) returned 0x1 [0056.796] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-35685, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x40 [0056.796] ReadFile (in: hFile=0x30c, lpBuffer=0x31be890, nNumberOfBytesToRead=0x8b65, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x31be890*, lpNumberOfBytesRead=0xf1e738*=0x8b65, lpOverlapped=0x0) returned 1 [0056.796] CloseHandle (hObject=0x30c) returned 1 [0056.797] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", lpFilePart=0x0) returned 0x2b [0056.797] SetErrorMode (uMode=0x1) returned 0x0 [0056.797] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\hamwlsfxqw auyw.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.797] GetFileType (hFile=0x30c) returned 0x1 [0056.797] SetErrorMode (uMode=0x0) returned 0x1 [0056.797] GetFileType (hFile=0x30c) returned 0x1 [0056.797] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x8ba5 [0056.797] SetFilePointer (in: hFile=0x30c, lDistanceToMove=64, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x40 [0056.797] SetEndOfFile (hFile=0x30c) returned 1 [0056.800] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0056.800] CloseHandle (hObject=0x30c) returned 1 [0056.861] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", lpFilePart=0x0) returned 0x2b [0056.861] SetErrorMode (uMode=0x1) returned 0x0 [0056.862] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\hamwlsfxqw auyw.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0056.862] GetFileType (hFile=0x30c) returned 0x1 [0056.862] SetErrorMode (uMode=0x0) returned 0x1 [0056.862] GetFileType (hFile=0x30c) returned 0x1 [0056.862] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x40 [0056.862] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.863] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.864] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.864] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.864] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.864] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.865] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.865] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.865] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.865] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.865] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.866] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0056.866] WriteFile (in: hFile=0x30c, lpBuffer=0x3215a20*, nNumberOfBytesToWrite=0xb6b, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3215a20*, lpNumberOfBytesWritten=0xf1e6d8*=0xb6b, lpOverlapped=0x0) returned 1 [0056.866] CloseHandle (hObject=0x30c) returned 1 [0056.868] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", lpFilePart=0x0) returned 0x2b [0056.868] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x5b [0056.868] SetErrorMode (uMode=0x1) returned 0x0 [0056.868] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\hamwlsfxqw auyw.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddb61640, ftCreationTime.dwHighDateTime=0x1d5b7d6, ftLastAccessTime.dwLowDateTime=0xe32d29b0, ftLastAccessTime.dwHighDateTime=0x1d5c1ef, ftLastWriteTime.dwLowDateTime=0xd7f4aa09, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xcbab)) returned 1 [0056.868] SetErrorMode (uMode=0x0) returned 0x1 [0056.868] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\hamwlsfxqw auyw.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\hamwlsfxqw auyw.bmp[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0056.869] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp", lpFilePart=0x0) returned 0x2b [0056.869] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\HAMwLsfXQw AUyW.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\hamwlsfxqw auyw.bmp")) returned 0 [0056.869] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", lpFilePart=0x0) returned 0x2c [0056.869] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", lpFilePart=0x0) returned 0x2c [0056.869] SetErrorMode (uMode=0x1) returned 0x0 [0056.869] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\hib45ohcigm_rvc7.wav"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2c1610, ftCreationTime.dwHighDateTime=0x1d5bcf2, ftLastAccessTime.dwLowDateTime=0x9bda2d90, ftLastAccessTime.dwHighDateTime=0x1d5b8eb, ftLastWriteTime.dwLowDateTime=0x9bda2d90, ftLastWriteTime.dwHighDateTime=0x1d5b8eb, nFileSizeHigh=0x0, nFileSizeLow=0x1560e)) returned 1 [0056.869] SetErrorMode (uMode=0x0) returned 0x1 [0056.870] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", lpFilePart=0x0) returned 0x2c [0056.871] SetErrorMode (uMode=0x1) returned 0x0 [0056.871] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\hib45ohcigm_rvc7.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0056.871] GetFileType (hFile=0x30c) returned 0x1 [0056.871] SetErrorMode (uMode=0x0) returned 0x1 [0056.871] GetFileType (hFile=0x30c) returned 0x1 [0056.871] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x5c0f [0056.871] ReadFile (in: hFile=0x30c, lpBuffer=0x32179c8, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x32179c8*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0056.872] CloseHandle (hObject=0x30c) returned 1 [0056.872] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", lpFilePart=0x0) returned 0x2c [0056.872] SetErrorMode (uMode=0x1) returned 0x0 [0056.872] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\hib45ohcigm_rvc7.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.529] GetFileType (hFile=0x30c) returned 0x1 [0060.529] SetErrorMode (uMode=0x0) returned 0x1 [0060.529] GetFileType (hFile=0x30c) returned 0x1 [0060.529] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x1560e [0060.529] SetFilePointer (in: hFile=0x30c, lDistanceToMove=23567, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x5c0f [0060.529] SetEndOfFile (hFile=0x30c) returned 1 [0060.532] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.532] CloseHandle (hObject=0x30c) returned 1 [0060.561] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", lpFilePart=0x0) returned 0x2c [0060.561] SetErrorMode (uMode=0x1) returned 0x0 [0060.562] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\hib45ohcigm_rvc7.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.562] GetFileType (hFile=0x30c) returned 0x1 [0060.562] SetErrorMode (uMode=0x0) returned 0x1 [0060.562] GetFileType (hFile=0x30c) returned 0x1 [0060.562] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x5c0f [0060.562] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.563] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.563] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.563] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.564] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.564] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.564] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.564] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.565] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.565] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.565] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.565] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.565] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.566] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.566] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.566] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.566] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.567] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.567] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.567] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.567] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.567] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.568] WriteFile (in: hFile=0x30c, lpBuffer=0x3059e58*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3059e58*, lpNumberOfBytesWritten=0xf1e6d8*=0xcbf, lpOverlapped=0x0) returned 1 [0060.568] CloseHandle (hObject=0x30c) returned 1 [0060.570] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", lpFilePart=0x0) returned 0x2c [0060.571] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x5c [0060.571] SetErrorMode (uMode=0x1) returned 0x0 [0060.571] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\hib45ohcigm_rvc7.wav"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2c1610, ftCreationTime.dwHighDateTime=0x1d5bcf2, ftLastAccessTime.dwLowDateTime=0x9bda2d90, ftLastAccessTime.dwHighDateTime=0x1d5b8eb, ftLastWriteTime.dwLowDateTime=0xda28eb8a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1c8ce)) returned 1 [0060.571] SetErrorMode (uMode=0x0) returned 0x1 [0060.571] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\hib45ohcigm_rvc7.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\hib45ohcigm_rvc7.wav[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.571] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav", lpFilePart=0x0) returned 0x2c [0060.572] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hIB45OhCIGM_rvc7.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\hib45ohcigm_rvc7.wav")) returned 0 [0060.572] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\id.dp", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\id.dp", lpFilePart=0x0) returned 0x1d [0060.572] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\id.dp", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\id.dp", lpFilePart=0x0) returned 0x1d [0060.572] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", lpFilePart=0x0) returned 0x30 [0060.572] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", lpFilePart=0x0) returned 0x30 [0060.572] SetErrorMode (uMode=0x1) returned 0x0 [0060.572] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\j6adihyliictbuwwpq-a.pps"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3ec56a0, ftCreationTime.dwHighDateTime=0x1d5c41b, ftLastAccessTime.dwLowDateTime=0xe12ca6a0, ftLastAccessTime.dwHighDateTime=0x1d5c31f, ftLastWriteTime.dwLowDateTime=0xe12ca6a0, ftLastWriteTime.dwHighDateTime=0x1d5c31f, nFileSizeHigh=0x0, nFileSizeLow=0x9280)) returned 1 [0060.572] SetErrorMode (uMode=0x0) returned 0x1 [0060.572] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", lpFilePart=0x0) returned 0x30 [0060.572] SetErrorMode (uMode=0x1) returned 0x0 [0060.572] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\j6adihyliictbuwwpq-a.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.572] GetFileType (hFile=0x30c) returned 0x1 [0060.572] SetErrorMode (uMode=0x0) returned 0x1 [0060.572] GetFileType (hFile=0x30c) returned 0x1 [0060.572] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-37440, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x40 [0060.572] ReadFile (in: hFile=0x30c, lpBuffer=0x305c328, nNumberOfBytesToRead=0x9240, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x305c328*, lpNumberOfBytesRead=0xf1e738*=0x9240, lpOverlapped=0x0) returned 1 [0060.573] CloseHandle (hObject=0x30c) returned 1 [0060.573] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", lpFilePart=0x0) returned 0x30 [0060.573] SetErrorMode (uMode=0x1) returned 0x0 [0060.573] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\j6adihyliictbuwwpq-a.pps"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.573] GetFileType (hFile=0x30c) returned 0x1 [0060.573] SetErrorMode (uMode=0x0) returned 0x1 [0060.573] GetFileType (hFile=0x30c) returned 0x1 [0060.573] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x9280 [0060.573] SetFilePointer (in: hFile=0x30c, lDistanceToMove=64, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x40 [0060.573] SetEndOfFile (hFile=0x30c) returned 1 [0060.576] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.576] CloseHandle (hObject=0x30c) returned 1 [0060.592] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", lpFilePart=0x0) returned 0x30 [0060.592] SetErrorMode (uMode=0x1) returned 0x0 [0060.593] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\j6adihyliictbuwwpq-a.pps"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.593] GetFileType (hFile=0x30c) returned 0x1 [0060.593] SetErrorMode (uMode=0x0) returned 0x1 [0060.593] GetFileType (hFile=0x30c) returned 0x1 [0060.593] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x40 [0060.593] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.594] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.594] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.594] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.595] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.595] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.595] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.595] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.595] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.596] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.596] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.596] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.596] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.597] WriteFile (in: hFile=0x30c, lpBuffer=0x30b8fb0*, nNumberOfBytesToWrite=0x56b, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30b8fb0*, lpNumberOfBytesWritten=0xf1e6d8*=0x56b, lpOverlapped=0x0) returned 1 [0060.597] CloseHandle (hObject=0x30c) returned 1 [0060.598] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", lpFilePart=0x0) returned 0x30 [0060.598] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x60 [0060.598] SetErrorMode (uMode=0x1) returned 0x0 [0060.599] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\j6adihyliictbuwwpq-a.pps"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3ec56a0, ftCreationTime.dwHighDateTime=0x1d5c41b, ftLastAccessTime.dwLowDateTime=0xe12ca6a0, ftLastAccessTime.dwHighDateTime=0x1d5c31f, ftLastWriteTime.dwLowDateTime=0xda2db09f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xd5ab)) returned 1 [0060.599] SetErrorMode (uMode=0x0) returned 0x1 [0060.599] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\j6adihyliictbuwwpq-a.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\j6adihyliictbuwwpq-a.pps[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.599] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps", lpFilePart=0x0) returned 0x30 [0060.599] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\J6aDIHYLiICtbUWWpQ-a.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\j6adihyliictbuwwpq-a.pps")) returned 0 [0060.599] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", lpFilePart=0x0) returned 0x24 [0060.599] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", lpFilePart=0x0) returned 0x24 [0060.599] SetErrorMode (uMode=0x1) returned 0x0 [0060.600] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\j86dcykr.csv"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8384730, ftCreationTime.dwHighDateTime=0x1d5b609, ftLastAccessTime.dwLowDateTime=0xb2290bb0, ftLastAccessTime.dwHighDateTime=0x1d5b7ac, ftLastWriteTime.dwLowDateTime=0xb2290bb0, ftLastWriteTime.dwHighDateTime=0x1d5b7ac, nFileSizeHigh=0x0, nFileSizeLow=0x109a1)) returned 1 [0060.600] SetErrorMode (uMode=0x0) returned 0x1 [0060.600] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", lpFilePart=0x0) returned 0x24 [0060.600] SetErrorMode (uMode=0x1) returned 0x0 [0060.600] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\j86dcykr.csv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.600] GetFileType (hFile=0x30c) returned 0x1 [0060.600] SetErrorMode (uMode=0x0) returned 0x1 [0060.600] GetFileType (hFile=0x30c) returned 0x1 [0060.600] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0xfa2 [0060.600] ReadFile (in: hFile=0x30c, lpBuffer=0x30baf68, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x30baf68*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0060.601] CloseHandle (hObject=0x30c) returned 1 [0060.601] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", lpFilePart=0x0) returned 0x24 [0060.601] SetErrorMode (uMode=0x1) returned 0x0 [0060.601] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\j86dcykr.csv"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.601] GetFileType (hFile=0x30c) returned 0x1 [0060.601] SetErrorMode (uMode=0x0) returned 0x1 [0060.601] GetFileType (hFile=0x30c) returned 0x1 [0060.601] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x109a1 [0060.601] SetFilePointer (in: hFile=0x30c, lDistanceToMove=4002, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0xfa2 [0060.601] SetEndOfFile (hFile=0x30c) returned 1 [0060.604] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.604] CloseHandle (hObject=0x30c) returned 1 [0060.641] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", lpFilePart=0x0) returned 0x24 [0060.642] SetErrorMode (uMode=0x1) returned 0x0 [0060.642] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\j86dcykr.csv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.642] GetFileType (hFile=0x30c) returned 0x1 [0060.642] SetErrorMode (uMode=0x0) returned 0x1 [0060.642] GetFileType (hFile=0x30c) returned 0x1 [0060.642] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0xfa2 [0060.642] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.643] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.643] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.644] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.644] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.644] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.644] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.644] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.645] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.645] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.645] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.645] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.646] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.646] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.646] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.646] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.647] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.647] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.647] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.647] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.648] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.648] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.648] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef6e8*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef6e8*, lpNumberOfBytesWritten=0xf1e6d8*=0xcbf, lpOverlapped=0x0) returned 1 [0060.648] CloseHandle (hObject=0x30c) returned 1 [0060.651] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", lpFilePart=0x0) returned 0x24 [0060.651] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x54 [0060.651] SetErrorMode (uMode=0x1) returned 0x0 [0060.651] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\j86dcykr.csv"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8384730, ftCreationTime.dwHighDateTime=0x1d5b609, ftLastAccessTime.dwLowDateTime=0xb2290bb0, ftLastAccessTime.dwHighDateTime=0x1d5b7ac, ftLastWriteTime.dwLowDateTime=0xda34d5d9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x17c61)) returned 1 [0060.651] SetErrorMode (uMode=0x0) returned 0x1 [0060.651] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\j86dcykr.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\j86dcykr.csv[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.652] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv", lpFilePart=0x0) returned 0x24 [0060.652] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\j86dCykR.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\j86dcykr.csv")) returned 0 [0060.652] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", lpFilePart=0x0) returned 0x24 [0060.652] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", lpFilePart=0x0) returned 0x24 [0060.652] SetErrorMode (uMode=0x1) returned 0x0 [0060.652] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\jpgbwvw6.mp4"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca2bee60, ftCreationTime.dwHighDateTime=0x1d5b80d, ftLastAccessTime.dwLowDateTime=0x199db790, ftLastAccessTime.dwHighDateTime=0x1d5b862, ftLastWriteTime.dwLowDateTime=0x199db790, ftLastWriteTime.dwHighDateTime=0x1d5b862, nFileSizeHigh=0x0, nFileSizeLow=0x174c4)) returned 1 [0060.652] SetErrorMode (uMode=0x0) returned 0x1 [0060.652] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", lpFilePart=0x0) returned 0x24 [0060.652] SetErrorMode (uMode=0x1) returned 0x0 [0060.652] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\jpgbwvw6.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.653] GetFileType (hFile=0x30c) returned 0x1 [0060.653] SetErrorMode (uMode=0x0) returned 0x1 [0060.653] GetFileType (hFile=0x30c) returned 0x1 [0060.653] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x7ac5 [0060.653] ReadFile (in: hFile=0x30c, lpBuffer=0x2ff1640, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x2ff1640*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0060.653] CloseHandle (hObject=0x30c) returned 1 [0060.653] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", lpFilePart=0x0) returned 0x24 [0060.653] SetErrorMode (uMode=0x1) returned 0x0 [0060.654] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\jpgbwvw6.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.654] GetFileType (hFile=0x30c) returned 0x1 [0060.654] SetErrorMode (uMode=0x0) returned 0x1 [0060.654] GetFileType (hFile=0x30c) returned 0x1 [0060.654] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x174c4 [0060.654] SetFilePointer (in: hFile=0x30c, lDistanceToMove=31429, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x7ac5 [0060.654] SetEndOfFile (hFile=0x30c) returned 1 [0060.657] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.657] CloseHandle (hObject=0x30c) returned 1 [0060.669] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", lpFilePart=0x0) returned 0x24 [0060.669] SetErrorMode (uMode=0x1) returned 0x0 [0060.669] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\jpgbwvw6.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.669] GetFileType (hFile=0x30c) returned 0x1 [0060.669] SetErrorMode (uMode=0x0) returned 0x1 [0060.669] GetFileType (hFile=0x30c) returned 0x1 [0060.669] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x7ac5 [0060.670] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.680] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.680] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.680] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.680] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.681] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.681] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.681] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.681] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.681] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.681] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.682] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.682] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.682] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.682] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.682] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.682] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.683] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.683] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.683] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.683] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.683] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.683] WriteFile (in: hFile=0x30c, lpBuffer=0x30736d8*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30736d8*, lpNumberOfBytesWritten=0xf1e6d8*=0xcbf, lpOverlapped=0x0) returned 1 [0060.684] CloseHandle (hObject=0x30c) returned 1 [0060.687] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", lpFilePart=0x0) returned 0x24 [0060.687] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x54 [0060.687] SetErrorMode (uMode=0x1) returned 0x0 [0060.687] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\jpgbwvw6.mp4"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca2bee60, ftCreationTime.dwHighDateTime=0x1d5b80d, ftLastAccessTime.dwLowDateTime=0x199db790, ftLastAccessTime.dwHighDateTime=0x1d5b862, ftLastWriteTime.dwLowDateTime=0xda3c21d0, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1e784)) returned 1 [0060.687] SetErrorMode (uMode=0x0) returned 0x1 [0060.687] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\jpgbwvw6.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\jpgbwvw6.mp4[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.688] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4", lpFilePart=0x0) returned 0x24 [0060.688] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\JPGBwvW6.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\jpgbwvw6.mp4")) returned 0 [0060.688] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", lpFilePart=0x0) returned 0x2f [0060.688] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", lpFilePart=0x0) returned 0x2f [0060.688] SetErrorMode (uMode=0x1) returned 0x0 [0060.688] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\jsitezyllfx-rj5-5bo.jpg"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa679aa00, ftCreationTime.dwHighDateTime=0x1d5b8aa, ftLastAccessTime.dwLowDateTime=0x42305c70, ftLastAccessTime.dwHighDateTime=0x1d5bc32, ftLastWriteTime.dwLowDateTime=0x42305c70, ftLastWriteTime.dwHighDateTime=0x1d5bc32, nFileSizeHigh=0x0, nFileSizeLow=0x11730)) returned 1 [0060.688] SetErrorMode (uMode=0x0) returned 0x1 [0060.688] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", lpFilePart=0x0) returned 0x2f [0060.688] SetErrorMode (uMode=0x1) returned 0x0 [0060.688] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\jsitezyllfx-rj5-5bo.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.688] GetFileType (hFile=0x30c) returned 0x1 [0060.688] SetErrorMode (uMode=0x0) returned 0x1 [0060.688] GetFileType (hFile=0x30c) returned 0x1 [0060.688] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x1d31 [0060.689] ReadFile (in: hFile=0x30c, lpBuffer=0x307efb0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x307efb0*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0060.689] CloseHandle (hObject=0x30c) returned 1 [0060.689] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", lpFilePart=0x0) returned 0x2f [0060.689] SetErrorMode (uMode=0x1) returned 0x0 [0060.689] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\jsitezyllfx-rj5-5bo.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.689] GetFileType (hFile=0x30c) returned 0x1 [0060.689] SetErrorMode (uMode=0x0) returned 0x1 [0060.689] GetFileType (hFile=0x30c) returned 0x1 [0060.689] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x11730 [0060.689] SetFilePointer (in: hFile=0x30c, lDistanceToMove=7473, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x1d31 [0060.690] SetEndOfFile (hFile=0x30c) returned 1 [0060.692] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.692] CloseHandle (hObject=0x30c) returned 1 [0060.706] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", lpFilePart=0x0) returned 0x2f [0060.706] SetErrorMode (uMode=0x1) returned 0x0 [0060.706] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\jsitezyllfx-rj5-5bo.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.706] GetFileType (hFile=0x30c) returned 0x1 [0060.706] SetErrorMode (uMode=0x0) returned 0x1 [0060.706] GetFileType (hFile=0x30c) returned 0x1 [0060.706] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x1d31 [0060.707] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.707] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.708] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.708] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.708] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.708] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.708] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.709] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.709] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.709] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.709] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.709] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.709] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.710] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.710] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.710] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.710] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.710] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.711] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.711] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.711] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.711] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.711] WriteFile (in: hFile=0x30c, lpBuffer=0x3104250*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3104250*, lpNumberOfBytesWritten=0xf1e6d8*=0xcbf, lpOverlapped=0x0) returned 1 [0060.711] CloseHandle (hObject=0x30c) returned 1 [0060.714] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", lpFilePart=0x0) returned 0x2f [0060.714] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x5f [0060.714] SetErrorMode (uMode=0x1) returned 0x0 [0060.714] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\jsitezyllfx-rj5-5bo.jpg"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa679aa00, ftCreationTime.dwHighDateTime=0x1d5b8aa, ftLastAccessTime.dwLowDateTime=0x42305c70, ftLastAccessTime.dwHighDateTime=0x1d5bc32, ftLastWriteTime.dwLowDateTime=0xda3e60f2, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x189f0)) returned 1 [0060.714] SetErrorMode (uMode=0x0) returned 0x1 [0060.714] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\jsitezyllfx-rj5-5bo.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\jsitezyllfx-rj5-5bo.jpg[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.714] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg", lpFilePart=0x0) returned 0x2f [0060.714] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\jsitEZYllFX-rJ5-5Bo.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\jsitezyllfx-rj5-5bo.jpg")) returned 0 [0060.715] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", lpFilePart=0x0) returned 0x30 [0060.715] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", lpFilePart=0x0) returned 0x30 [0060.715] SetErrorMode (uMode=0x1) returned 0x0 [0060.715] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\lyjoidxor1co rartgh6.doc"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x201c1400, ftCreationTime.dwHighDateTime=0x1d5bcf8, ftLastAccessTime.dwLowDateTime=0xbba208a0, ftLastAccessTime.dwHighDateTime=0x1d5b85f, ftLastWriteTime.dwLowDateTime=0xbba208a0, ftLastWriteTime.dwHighDateTime=0x1d5b85f, nFileSizeHigh=0x0, nFileSizeLow=0x6eb5)) returned 1 [0060.715] SetErrorMode (uMode=0x0) returned 0x1 [0060.715] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", lpFilePart=0x0) returned 0x30 [0060.715] SetErrorMode (uMode=0x1) returned 0x0 [0060.715] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\lyjoidxor1co rartgh6.doc"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.715] GetFileType (hFile=0x30c) returned 0x1 [0060.715] SetErrorMode (uMode=0x0) returned 0x1 [0060.715] GetFileType (hFile=0x30c) returned 0x1 [0060.715] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-28314, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x1b [0060.715] ReadFile (in: hFile=0x30c, lpBuffer=0x3106230, nNumberOfBytesToRead=0x6e9a, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x3106230*, lpNumberOfBytesRead=0xf1e738*=0x6e9a, lpOverlapped=0x0) returned 1 [0060.716] CloseHandle (hObject=0x30c) returned 1 [0060.716] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", lpFilePart=0x0) returned 0x30 [0060.716] SetErrorMode (uMode=0x1) returned 0x0 [0060.716] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\lyjoidxor1co rartgh6.doc"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.716] GetFileType (hFile=0x30c) returned 0x1 [0060.716] SetErrorMode (uMode=0x0) returned 0x1 [0060.716] GetFileType (hFile=0x30c) returned 0x1 [0060.716] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x6eb5 [0060.716] SetFilePointer (in: hFile=0x30c, lDistanceToMove=27, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x1b [0060.716] SetEndOfFile (hFile=0x30c) returned 1 [0060.722] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.723] CloseHandle (hObject=0x30c) returned 1 [0060.727] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", lpFilePart=0x0) returned 0x30 [0060.728] SetErrorMode (uMode=0x1) returned 0x0 [0060.728] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\lyjoidxor1co rartgh6.doc"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.728] GetFileType (hFile=0x30c) returned 0x1 [0060.728] SetErrorMode (uMode=0x0) returned 0x1 [0060.728] GetFileType (hFile=0x30c) returned 0x1 [0060.728] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x1b [0060.728] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.729] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.729] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.729] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.729] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.730] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.730] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.730] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.730] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.730] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6a8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6a8*=0x1000, lpOverlapped=0x0) returned 1 [0060.730] WriteFile (in: hFile=0x30c, lpBuffer=0x3169f20*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3169f20*, lpNumberOfBytesWritten=0xf1e6d8*=0x16b, lpOverlapped=0x0) returned 1 [0060.730] CloseHandle (hObject=0x30c) returned 1 [0060.732] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", lpFilePart=0x0) returned 0x30 [0060.732] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x60 [0060.732] SetErrorMode (uMode=0x1) returned 0x0 [0060.732] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\lyjoidxor1co rartgh6.doc"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x201c1400, ftCreationTime.dwHighDateTime=0x1d5bcf8, ftLastAccessTime.dwLowDateTime=0xbba208a0, ftLastAccessTime.dwHighDateTime=0x1d5b85f, ftLastWriteTime.dwLowDateTime=0xda40c39e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xa186)) returned 1 [0060.732] SetErrorMode (uMode=0x0) returned 0x1 [0060.732] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\lyjoidxor1co rartgh6.doc"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\lyjoidxor1co rartgh6.doc[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.733] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc", lpFilePart=0x0) returned 0x30 [0060.733] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\LYjoidXOr1cO RartGH6.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\lyjoidxor1co rartgh6.doc")) returned 0 [0060.733] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", lpFilePart=0x0) returned 0x2c [0060.733] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", lpFilePart=0x0) returned 0x2c [0060.733] SetErrorMode (uMode=0x1) returned 0x0 [0060.734] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\mfi3m 25wass25or.mkv"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdaec6f80, ftCreationTime.dwHighDateTime=0x1d5c209, ftLastAccessTime.dwLowDateTime=0xa6e8bd60, ftLastAccessTime.dwHighDateTime=0x1d5bcb9, ftLastWriteTime.dwLowDateTime=0xa6e8bd60, ftLastWriteTime.dwHighDateTime=0x1d5bcb9, nFileSizeHigh=0x0, nFileSizeLow=0x15c63)) returned 1 [0060.734] SetErrorMode (uMode=0x0) returned 0x1 [0060.734] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", lpFilePart=0x0) returned 0x2c [0060.734] SetErrorMode (uMode=0x1) returned 0x0 [0060.734] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\mfi3m 25wass25or.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.734] GetFileType (hFile=0x30c) returned 0x1 [0060.734] SetErrorMode (uMode=0x0) returned 0x1 [0060.734] GetFileType (hFile=0x30c) returned 0x1 [0060.734] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x6264 [0060.734] ReadFile (in: hFile=0x30c, lpBuffer=0x316bf08, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x316bf08*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0060.735] CloseHandle (hObject=0x30c) returned 1 [0060.735] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", lpFilePart=0x0) returned 0x2c [0060.735] SetErrorMode (uMode=0x1) returned 0x0 [0060.735] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\mfi3m 25wass25or.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.735] GetFileType (hFile=0x30c) returned 0x1 [0060.735] SetErrorMode (uMode=0x0) returned 0x1 [0060.735] GetFileType (hFile=0x30c) returned 0x1 [0060.735] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x15c63 [0060.735] SetFilePointer (in: hFile=0x30c, lDistanceToMove=25188, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x6264 [0060.735] SetEndOfFile (hFile=0x30c) returned 1 [0060.737] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.737] CloseHandle (hObject=0x30c) returned 1 [0060.752] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", lpFilePart=0x0) returned 0x2c [0060.752] SetErrorMode (uMode=0x1) returned 0x0 [0060.752] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\mfi3m 25wass25or.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.752] GetFileType (hFile=0x30c) returned 0x1 [0060.752] SetErrorMode (uMode=0x0) returned 0x1 [0060.752] GetFileType (hFile=0x30c) returned 0x1 [0060.752] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x6264 [0060.752] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.753] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.754] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.754] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.754] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.754] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.754] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.754] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.754] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.755] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.755] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.755] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.755] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.755] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.756] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.756] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.756] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.756] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.756] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.756] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.757] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.757] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.757] WriteFile (in: hFile=0x30c, lpBuffer=0x31ee000*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x31ee000*, lpNumberOfBytesWritten=0xf1e6d8*=0xcbf, lpOverlapped=0x0) returned 1 [0060.757] CloseHandle (hObject=0x30c) returned 1 [0060.760] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", lpFilePart=0x0) returned 0x2c [0060.760] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x5c [0060.760] SetErrorMode (uMode=0x1) returned 0x0 [0060.760] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\mfi3m 25wass25or.mkv"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdaec6f80, ftCreationTime.dwHighDateTime=0x1d5c209, ftLastAccessTime.dwLowDateTime=0xa6e8bd60, ftLastAccessTime.dwHighDateTime=0x1d5bcb9, ftLastWriteTime.dwLowDateTime=0xda458776, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1cf23)) returned 1 [0060.760] SetErrorMode (uMode=0x0) returned 0x1 [0060.760] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\mfi3m 25wass25or.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\mfi3m 25wass25or.mkv[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.761] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv", lpFilePart=0x0) returned 0x2c [0060.761] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\mfI3M 25waSS25or.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\mfi3m 25wass25or.mkv")) returned 0 [0060.761] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", lpFilePart=0x0) returned 0x25 [0060.761] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", lpFilePart=0x0) returned 0x25 [0060.761] SetErrorMode (uMode=0x1) returned 0x0 [0060.761] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\muwrftnyc.wav"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87a6c070, ftCreationTime.dwHighDateTime=0x1d5b67c, ftLastAccessTime.dwLowDateTime=0x563b39b0, ftLastAccessTime.dwHighDateTime=0x1d5ba11, ftLastWriteTime.dwLowDateTime=0x563b39b0, ftLastWriteTime.dwHighDateTime=0x1d5ba11, nFileSizeHigh=0x0, nFileSizeLow=0x1697d)) returned 1 [0060.761] SetErrorMode (uMode=0x0) returned 0x1 [0060.761] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", lpFilePart=0x0) returned 0x25 [0060.761] SetErrorMode (uMode=0x1) returned 0x0 [0060.761] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\muwrftnyc.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.762] GetFileType (hFile=0x30c) returned 0x1 [0060.762] SetErrorMode (uMode=0x0) returned 0x1 [0060.762] GetFileType (hFile=0x30c) returned 0x1 [0060.762] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x6f7e [0060.762] ReadFile (in: hFile=0x30c, lpBuffer=0x31eff98, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x31eff98*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0060.762] CloseHandle (hObject=0x30c) returned 1 [0060.762] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", lpFilePart=0x0) returned 0x25 [0060.762] SetErrorMode (uMode=0x1) returned 0x0 [0060.762] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\muwrftnyc.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.763] GetFileType (hFile=0x30c) returned 0x1 [0060.763] SetErrorMode (uMode=0x0) returned 0x1 [0060.763] GetFileType (hFile=0x30c) returned 0x1 [0060.763] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x1697d [0060.763] SetFilePointer (in: hFile=0x30c, lDistanceToMove=28542, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x6f7e [0060.763] SetEndOfFile (hFile=0x30c) returned 1 [0060.767] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.767] CloseHandle (hObject=0x30c) returned 1 [0060.784] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", lpFilePart=0x0) returned 0x25 [0060.784] SetErrorMode (uMode=0x1) returned 0x0 [0060.784] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\muwrftnyc.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.784] GetFileType (hFile=0x30c) returned 0x1 [0060.784] SetErrorMode (uMode=0x0) returned 0x1 [0060.784] GetFileType (hFile=0x30c) returned 0x1 [0060.784] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x6f7e [0060.784] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.785] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.785] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.785] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.785] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.786] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.786] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.786] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.786] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.786] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.787] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.787] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.787] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.787] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.787] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.787] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.787] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.788] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.788] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.788] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.788] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.788] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.788] WriteFile (in: hFile=0x30c, lpBuffer=0x3070058*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3070058*, lpNumberOfBytesWritten=0xf1e6d8*=0xcbf, lpOverlapped=0x0) returned 1 [0060.789] CloseHandle (hObject=0x30c) returned 1 [0060.791] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", lpFilePart=0x0) returned 0x25 [0060.791] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x55 [0060.791] SetErrorMode (uMode=0x1) returned 0x0 [0060.792] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\muwrftnyc.wav"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87a6c070, ftCreationTime.dwHighDateTime=0x1d5b67c, ftLastAccessTime.dwLowDateTime=0x563b39b0, ftLastAccessTime.dwHighDateTime=0x1d5ba11, ftLastWriteTime.dwLowDateTime=0xda4a4b02, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1dc3d)) returned 1 [0060.792] SetErrorMode (uMode=0x0) returned 0x1 [0060.792] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\muwrftnyc.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\muwrftnyc.wav[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.792] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav", lpFilePart=0x0) returned 0x25 [0060.792] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\mUWrftnYC.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\muwrftnyc.wav")) returned 0 [0060.792] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", lpFilePart=0x0) returned 0x29 [0060.792] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", lpFilePart=0x0) returned 0x29 [0060.792] SetErrorMode (uMode=0x1) returned 0x0 [0060.792] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\noxbrauzs2jog.mkv"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44dc4490, ftCreationTime.dwHighDateTime=0x1d5c0fe, ftLastAccessTime.dwLowDateTime=0xb14ab520, ftLastAccessTime.dwHighDateTime=0x1d5c54b, ftLastWriteTime.dwLowDateTime=0xb14ab520, ftLastWriteTime.dwHighDateTime=0x1d5c54b, nFileSizeHigh=0x0, nFileSizeLow=0x1106e)) returned 1 [0060.793] SetErrorMode (uMode=0x0) returned 0x1 [0060.793] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", lpFilePart=0x0) returned 0x29 [0060.793] SetErrorMode (uMode=0x1) returned 0x0 [0060.793] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\noxbrauzs2jog.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.793] GetFileType (hFile=0x30c) returned 0x1 [0060.793] SetErrorMode (uMode=0x0) returned 0x1 [0060.793] GetFileType (hFile=0x30c) returned 0x1 [0060.793] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x166f [0060.793] ReadFile (in: hFile=0x30c, lpBuffer=0x307efb0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x307efb0*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0060.794] CloseHandle (hObject=0x30c) returned 1 [0060.794] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", lpFilePart=0x0) returned 0x29 [0060.794] SetErrorMode (uMode=0x1) returned 0x0 [0060.794] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\noxbrauzs2jog.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.794] GetFileType (hFile=0x30c) returned 0x1 [0060.794] SetErrorMode (uMode=0x0) returned 0x1 [0060.794] GetFileType (hFile=0x30c) returned 0x1 [0060.794] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x1106e [0060.794] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5743, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x166f [0060.794] SetEndOfFile (hFile=0x30c) returned 1 [0060.797] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.797] CloseHandle (hObject=0x30c) returned 1 [0060.810] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", lpFilePart=0x0) returned 0x29 [0060.810] SetErrorMode (uMode=0x1) returned 0x0 [0060.810] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\noxbrauzs2jog.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.810] GetFileType (hFile=0x30c) returned 0x1 [0060.810] SetErrorMode (uMode=0x0) returned 0x1 [0060.810] GetFileType (hFile=0x30c) returned 0x1 [0060.810] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x166f [0060.810] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.812] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.813] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.813] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.813] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.813] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.813] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.813] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.814] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.814] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.814] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.814] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.814] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.814] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.815] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.815] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.815] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.815] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.815] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.815] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.816] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.816] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.816] WriteFile (in: hFile=0x30c, lpBuffer=0x3101078*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3101078*, lpNumberOfBytesWritten=0xf1e6d8*=0xcbf, lpOverlapped=0x0) returned 1 [0060.816] CloseHandle (hObject=0x30c) returned 1 [0060.818] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", lpFilePart=0x0) returned 0x29 [0060.818] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x59 [0060.819] SetErrorMode (uMode=0x1) returned 0x0 [0060.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\noxbrauzs2jog.mkv"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44dc4490, ftCreationTime.dwHighDateTime=0x1d5c0fe, ftLastAccessTime.dwLowDateTime=0xb14ab520, ftLastAccessTime.dwHighDateTime=0x1d5c54b, ftLastWriteTime.dwLowDateTime=0xda4f0f15, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1832e)) returned 1 [0060.819] SetErrorMode (uMode=0x0) returned 0x1 [0060.819] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\noxbrauzs2jog.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\noxbrauzs2jog.mkv[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.819] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv", lpFilePart=0x0) returned 0x29 [0060.819] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\NOXbRAUzS2JOG.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\noxbrauzs2jog.mkv")) returned 0 [0060.819] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", lpFilePart=0x0) returned 0x24 [0060.819] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", lpFilePart=0x0) returned 0x24 [0060.819] SetErrorMode (uMode=0x1) returned 0x0 [0060.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\ox8grncx.odt"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c770530, ftCreationTime.dwHighDateTime=0x1d5bffc, ftLastAccessTime.dwLowDateTime=0x2d920310, ftLastAccessTime.dwHighDateTime=0x1d5c5f9, ftLastWriteTime.dwLowDateTime=0x2d920310, ftLastWriteTime.dwHighDateTime=0x1d5c5f9, nFileSizeHigh=0x0, nFileSizeLow=0x1ff6)) returned 1 [0060.820] SetErrorMode (uMode=0x0) returned 0x1 [0060.820] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", lpFilePart=0x0) returned 0x24 [0060.820] SetErrorMode (uMode=0x1) returned 0x0 [0060.820] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\ox8grncx.odt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.820] GetFileType (hFile=0x30c) returned 0x1 [0060.820] SetErrorMode (uMode=0x0) returned 0x1 [0060.820] GetFileType (hFile=0x30c) returned 0x1 [0060.820] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-8073, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x6d [0060.820] ReadFile (in: hFile=0x30c, lpBuffer=0x3102ff0, nNumberOfBytesToRead=0x1f89, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x3102ff0*, lpNumberOfBytesRead=0xf1e738*=0x1f89, lpOverlapped=0x0) returned 1 [0060.820] CloseHandle (hObject=0x30c) returned 1 [0060.820] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", lpFilePart=0x0) returned 0x24 [0060.820] SetErrorMode (uMode=0x1) returned 0x0 [0060.820] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\ox8grncx.odt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.820] GetFileType (hFile=0x30c) returned 0x1 [0060.821] SetErrorMode (uMode=0x0) returned 0x1 [0060.821] GetFileType (hFile=0x30c) returned 0x1 [0060.821] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x1ff6 [0060.821] SetFilePointer (in: hFile=0x30c, lDistanceToMove=109, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x6d [0060.821] SetEndOfFile (hFile=0x30c) returned 1 [0060.823] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.823] CloseHandle (hObject=0x30c) returned 1 [0060.824] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", lpFilePart=0x0) returned 0x24 [0060.824] SetErrorMode (uMode=0x1) returned 0x0 [0060.824] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\ox8grncx.odt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.825] GetFileType (hFile=0x30c) returned 0x1 [0060.825] SetErrorMode (uMode=0x0) returned 0x1 [0060.825] GetFileType (hFile=0x30c) returned 0x1 [0060.825] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x6d [0060.825] WriteFile (in: hFile=0x30c, lpBuffer=0x3124268*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3124268*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.826] WriteFile (in: hFile=0x30c, lpBuffer=0x3124268*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3124268*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.826] WriteFile (in: hFile=0x30c, lpBuffer=0x3124268*, nNumberOfBytesToWrite=0xe13, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3124268*, lpNumberOfBytesWritten=0xf1e6d8*=0xe13, lpOverlapped=0x0) returned 1 [0060.826] CloseHandle (hObject=0x30c) returned 1 [0060.827] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", lpFilePart=0x0) returned 0x24 [0060.827] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x54 [0060.827] SetErrorMode (uMode=0x1) returned 0x0 [0060.827] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\ox8grncx.odt"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c770530, ftCreationTime.dwHighDateTime=0x1d5bffc, ftLastAccessTime.dwLowDateTime=0x2d920310, ftLastAccessTime.dwHighDateTime=0x1d5c5f9, ftLastWriteTime.dwLowDateTime=0xda5182b7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2e80)) returned 1 [0060.827] SetErrorMode (uMode=0x0) returned 0x1 [0060.827] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\ox8grncx.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\ox8grncx.odt[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.828] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt", lpFilePart=0x0) returned 0x24 [0060.828] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\OX8GrNcx.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\ox8grncx.odt")) returned 0 [0060.828] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", lpFilePart=0x0) returned 0x25 [0060.828] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", lpFilePart=0x0) returned 0x25 [0060.828] SetErrorMode (uMode=0x1) returned 0x0 [0060.828] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\p1qsdkkso.gif"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa70bd220, ftCreationTime.dwHighDateTime=0x1d5bfa0, ftLastAccessTime.dwLowDateTime=0x6daeeaa0, ftLastAccessTime.dwHighDateTime=0x1d5bcb5, ftLastWriteTime.dwLowDateTime=0x6daeeaa0, ftLastWriteTime.dwHighDateTime=0x1d5bcb5, nFileSizeHigh=0x0, nFileSizeLow=0xba8d)) returned 1 [0060.828] SetErrorMode (uMode=0x0) returned 0x1 [0060.828] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", lpFilePart=0x0) returned 0x25 [0060.828] SetErrorMode (uMode=0x1) returned 0x0 [0060.828] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\p1qsdkkso.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.828] GetFileType (hFile=0x30c) returned 0x1 [0060.828] SetErrorMode (uMode=0x0) returned 0x1 [0060.828] GetFileType (hFile=0x30c) returned 0x1 [0060.828] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-47736, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x15 [0060.828] ReadFile (in: hFile=0x30c, lpBuffer=0x31261c0, nNumberOfBytesToRead=0xba78, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x31261c0*, lpNumberOfBytesRead=0xf1e738*=0xba78, lpOverlapped=0x0) returned 1 [0060.829] CloseHandle (hObject=0x30c) returned 1 [0060.829] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", lpFilePart=0x0) returned 0x25 [0060.829] SetErrorMode (uMode=0x1) returned 0x0 [0060.829] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\p1qsdkkso.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.829] GetFileType (hFile=0x30c) returned 0x1 [0060.829] SetErrorMode (uMode=0x0) returned 0x1 [0060.829] GetFileType (hFile=0x30c) returned 0x1 [0060.829] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0xba8d [0060.829] SetFilePointer (in: hFile=0x30c, lDistanceToMove=21, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x15 [0060.829] SetEndOfFile (hFile=0x30c) returned 1 [0060.832] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.832] CloseHandle (hObject=0x30c) returned 1 [0060.845] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", lpFilePart=0x0) returned 0x25 [0060.845] SetErrorMode (uMode=0x1) returned 0x0 [0060.846] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\p1qsdkkso.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.846] GetFileType (hFile=0x30c) returned 0x1 [0060.846] SetErrorMode (uMode=0x0) returned 0x1 [0060.846] GetFileType (hFile=0x30c) returned 0x1 [0060.846] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x15 [0060.846] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.847] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.847] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.847] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.847] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.847] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.848] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.848] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.848] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.848] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.848] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.848] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.849] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.849] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.849] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.849] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.849] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6a8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6a8*=0x1000, lpOverlapped=0x0) returned 1 [0060.849] WriteFile (in: hFile=0x30c, lpBuffer=0x318e9f0*, nNumberOfBytesToWrite=0x13, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x318e9f0*, lpNumberOfBytesWritten=0xf1e6d8*=0x13, lpOverlapped=0x0) returned 1 [0060.849] CloseHandle (hObject=0x30c) returned 1 [0060.851] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", lpFilePart=0x0) returned 0x25 [0060.851] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x55 [0060.851] SetErrorMode (uMode=0x1) returned 0x0 [0060.851] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\p1qsdkkso.gif"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa70bd220, ftCreationTime.dwHighDateTime=0x1d5bfa0, ftLastAccessTime.dwLowDateTime=0x6daeeaa0, ftLastAccessTime.dwHighDateTime=0x1d5bcb5, ftLastWriteTime.dwLowDateTime=0xda53d624, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x11028)) returned 1 [0060.851] SetErrorMode (uMode=0x0) returned 0x1 [0060.851] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\p1qsdkkso.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\p1qsdkkso.gif[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.852] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif", lpFilePart=0x0) returned 0x25 [0060.852] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\P1QsDkkSO.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\p1qsdkkso.gif")) returned 0 [0060.852] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", lpFilePart=0x0) returned 0x30 [0060.852] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", lpFilePart=0x0) returned 0x30 [0060.852] SetErrorMode (uMode=0x1) returned 0x0 [0060.852] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\pkwu5wtief7lpbuoi5rq.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7476a870, ftCreationTime.dwHighDateTime=0x1d5b650, ftLastAccessTime.dwLowDateTime=0xf148fd40, ftLastAccessTime.dwHighDateTime=0x1d5bc6c, ftLastWriteTime.dwLowDateTime=0xf148fd40, ftLastWriteTime.dwHighDateTime=0x1d5bc6c, nFileSizeHigh=0x0, nFileSizeLow=0x154f6)) returned 1 [0060.852] SetErrorMode (uMode=0x0) returned 0x1 [0060.852] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", lpFilePart=0x0) returned 0x30 [0060.852] SetErrorMode (uMode=0x1) returned 0x0 [0060.852] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\pkwu5wtief7lpbuoi5rq.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.853] GetFileType (hFile=0x30c) returned 0x1 [0060.853] SetErrorMode (uMode=0x0) returned 0x1 [0060.853] GetFileType (hFile=0x30c) returned 0x1 [0060.853] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x5af7 [0060.853] ReadFile (in: hFile=0x30c, lpBuffer=0x3190990, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x3190990*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0060.853] CloseHandle (hObject=0x30c) returned 1 [0060.853] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", lpFilePart=0x0) returned 0x30 [0060.853] SetErrorMode (uMode=0x1) returned 0x0 [0060.853] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\pkwu5wtief7lpbuoi5rq.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.853] GetFileType (hFile=0x30c) returned 0x1 [0060.853] SetErrorMode (uMode=0x0) returned 0x1 [0060.854] GetFileType (hFile=0x30c) returned 0x1 [0060.854] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x154f6 [0060.854] SetFilePointer (in: hFile=0x30c, lDistanceToMove=23287, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x5af7 [0060.854] SetEndOfFile (hFile=0x30c) returned 1 [0060.856] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.856] CloseHandle (hObject=0x30c) returned 1 [0060.893] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", lpFilePart=0x0) returned 0x30 [0060.894] SetErrorMode (uMode=0x1) returned 0x0 [0060.894] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\pkwu5wtief7lpbuoi5rq.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.894] GetFileType (hFile=0x30c) returned 0x1 [0060.894] SetErrorMode (uMode=0x0) returned 0x1 [0060.894] GetFileType (hFile=0x30c) returned 0x1 [0060.894] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x5af7 [0060.894] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.895] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.895] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.895] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.896] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.896] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.896] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.896] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.896] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.896] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.897] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.897] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.897] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.897] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.897] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.897] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.898] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.898] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.898] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.898] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.898] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.898] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.899] WriteFile (in: hFile=0x30c, lpBuffer=0x2fef700*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x2fef700*, lpNumberOfBytesWritten=0xf1e6d8*=0xcbf, lpOverlapped=0x0) returned 1 [0060.899] CloseHandle (hObject=0x30c) returned 1 [0060.901] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", lpFilePart=0x0) returned 0x30 [0060.901] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x60 [0060.901] SetErrorMode (uMode=0x1) returned 0x0 [0060.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\pkwu5wtief7lpbuoi5rq.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7476a870, ftCreationTime.dwHighDateTime=0x1d5b650, ftLastAccessTime.dwLowDateTime=0xf148fd40, ftLastAccessTime.dwHighDateTime=0x1d5bc6c, ftLastWriteTime.dwLowDateTime=0xda5afd10, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1c7b6)) returned 1 [0060.902] SetErrorMode (uMode=0x0) returned 0x1 [0060.902] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\pkwu5wtief7lpbuoi5rq.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\pkwu5wtief7lpbuoi5rq.bmp[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.902] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp", lpFilePart=0x0) returned 0x30 [0060.902] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\PKWu5Wtief7lpBuOI5Rq.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\pkwu5wtief7lpbuoi5rq.bmp")) returned 0 [0060.902] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", lpFilePart=0x0) returned 0x2a [0060.902] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", lpFilePart=0x0) returned 0x2a [0060.903] SetErrorMode (uMode=0x1) returned 0x0 [0060.903] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\s0jm6n_kv2it0y.mp3"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7178a40, ftCreationTime.dwHighDateTime=0x1d5b7b7, ftLastAccessTime.dwLowDateTime=0xa27f9b30, ftLastAccessTime.dwHighDateTime=0x1d5c00c, ftLastWriteTime.dwLowDateTime=0xa27f9b30, ftLastWriteTime.dwHighDateTime=0x1d5c00c, nFileSizeHigh=0x0, nFileSizeLow=0xa1b1)) returned 1 [0060.903] SetErrorMode (uMode=0x0) returned 0x1 [0060.903] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", lpFilePart=0x0) returned 0x2a [0060.903] SetErrorMode (uMode=0x1) returned 0x0 [0060.903] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\s0jm6n_kv2it0y.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.903] GetFileType (hFile=0x30c) returned 0x1 [0060.903] SetErrorMode (uMode=0x0) returned 0x1 [0060.903] GetFileType (hFile=0x30c) returned 0x1 [0060.903] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-41301, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x5c [0060.903] ReadFile (in: hFile=0x30c, lpBuffer=0x2ff16d0, nNumberOfBytesToRead=0xa155, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x2ff16d0*, lpNumberOfBytesRead=0xf1e738*=0xa155, lpOverlapped=0x0) returned 1 [0060.904] CloseHandle (hObject=0x30c) returned 1 [0060.904] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", lpFilePart=0x0) returned 0x2a [0060.904] SetErrorMode (uMode=0x1) returned 0x0 [0060.904] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\s0jm6n_kv2it0y.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.904] GetFileType (hFile=0x30c) returned 0x1 [0060.904] SetErrorMode (uMode=0x0) returned 0x1 [0060.904] GetFileType (hFile=0x30c) returned 0x1 [0060.904] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0xa1b1 [0060.904] SetFilePointer (in: hFile=0x30c, lDistanceToMove=92, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x5c [0060.904] SetEndOfFile (hFile=0x30c) returned 1 [0060.949] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.949] CloseHandle (hObject=0x30c) returned 1 [0060.957] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", lpFilePart=0x0) returned 0x2a [0060.957] SetErrorMode (uMode=0x1) returned 0x0 [0060.957] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\s0jm6n_kv2it0y.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.957] GetFileType (hFile=0x30c) returned 0x1 [0060.957] SetErrorMode (uMode=0x0) returned 0x1 [0060.957] GetFileType (hFile=0x30c) returned 0x1 [0060.957] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x5c [0060.957] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.958] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.958] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.958] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.959] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.959] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.959] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.959] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.959] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.959] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.960] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.960] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.960] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.960] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0060.960] WriteFile (in: hFile=0x30c, lpBuffer=0x3050a50*, nNumberOfBytesToWrite=0xb6b, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x3050a50*, lpNumberOfBytesWritten=0xf1e6d8*=0xb6b, lpOverlapped=0x0) returned 1 [0060.960] CloseHandle (hObject=0x30c) returned 1 [0060.962] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", lpFilePart=0x0) returned 0x2a [0060.962] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x5a [0060.962] SetErrorMode (uMode=0x1) returned 0x0 [0060.962] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\s0jm6n_kv2it0y.mp3"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7178a40, ftCreationTime.dwHighDateTime=0x1d5b7b7, ftLastAccessTime.dwLowDateTime=0xa27f9b30, ftLastAccessTime.dwHighDateTime=0x1d5c00c, ftLastWriteTime.dwLowDateTime=0xda648672, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xebc7)) returned 1 [0060.963] SetErrorMode (uMode=0x0) returned 0x1 [0060.963] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\s0jm6n_kv2it0y.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\s0jm6n_kv2it0y.mp3[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0060.963] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3", lpFilePart=0x0) returned 0x2a [0060.963] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\S0JM6N_kv2iT0Y.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\s0jm6n_kv2it0y.mp3")) returned 0 [0060.963] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif", nBufferLength=0x105, lpBuffer=0xf1e510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif", lpFilePart=0x0) returned 0x2b [0060.963] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif", lpFilePart=0x0) returned 0x2b [0060.963] SetErrorMode (uMode=0x1) returned 0x0 [0060.963] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\vfw_67rl 5rflpx.gif"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5297bf00, ftCreationTime.dwHighDateTime=0x1d5c497, ftLastAccessTime.dwLowDateTime=0xca69fe50, ftLastAccessTime.dwHighDateTime=0x1d5b9b9, ftLastWriteTime.dwLowDateTime=0xca69fe50, ftLastWriteTime.dwHighDateTime=0x1d5b9b9, nFileSizeHigh=0x0, nFileSizeLow=0x12bf2)) returned 1 [0060.964] SetErrorMode (uMode=0x0) returned 0x1 [0060.964] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif", lpFilePart=0x0) returned 0x2b [0060.964] SetErrorMode (uMode=0x1) returned 0x0 [0060.964] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\vfw_67rl 5rflpx.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.964] GetFileType (hFile=0x30c) returned 0x1 [0060.964] SetErrorMode (uMode=0x0) returned 0x1 [0060.964] GetFileType (hFile=0x30c) returned 0x1 [0060.964] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x31f3 [0060.964] ReadFile (in: hFile=0x30c, lpBuffer=0x30529e0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e738, lpOverlapped=0x0 | out: lpBuffer=0x30529e0*, lpNumberOfBytesRead=0xf1e738*=0xf9ff, lpOverlapped=0x0) returned 1 [0060.964] CloseHandle (hObject=0x30c) returned 1 [0060.964] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif", lpFilePart=0x0) returned 0x2b [0060.965] SetErrorMode (uMode=0x1) returned 0x0 [0060.965] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\vfw_67rl 5rflpx.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0060.965] GetFileType (hFile=0x30c) returned 0x1 [0060.965] SetErrorMode (uMode=0x0) returned 0x1 [0060.965] GetFileType (hFile=0x30c) returned 0x1 [0060.965] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x12bf2 [0060.965] SetFilePointer (in: hFile=0x30c, lDistanceToMove=12787, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x31f3 [0060.965] SetEndOfFile (hFile=0x30c) returned 1 [0060.968] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e8b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e8b0*=0) returned 0x0 [0060.968] CloseHandle (hObject=0x30c) returned 1 [0060.981] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif", nBufferLength=0x105, lpBuffer=0xf1e170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif", lpFilePart=0x0) returned 0x2b [0060.981] SetErrorMode (uMode=0x1) returned 0x0 [0060.981] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\vfw_67rl 5rflpx.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0060.981] GetFileType (hFile=0x30c) returned 0x1 [0060.981] SetErrorMode (uMode=0x0) returned 0x1 [0060.981] GetFileType (hFile=0x30c) returned 0x1 [0060.981] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x31f3 [0060.982] WriteFile (in: hFile=0x30c, lpBuffer=0x30d54b8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30d54b8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0061.035] WriteFile (in: hFile=0x30c, lpBuffer=0x30d54b8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30d54b8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0061.035] WriteFile (in: hFile=0x30c, lpBuffer=0x30d54b8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30d54b8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0061.036] WriteFile (in: hFile=0x30c, lpBuffer=0x30d54b8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6d8, lpOverlapped=0x0 | out: lpBuffer=0x30d54b8*, lpNumberOfBytesWritten=0xf1e6d8*=0x1000, lpOverlapped=0x0) returned 1 [0061.038] CloseHandle (hObject=0x30c) returned 1 [0061.041] SetErrorMode (uMode=0x1) returned 0x0 [0061.041] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\vfw_67rl 5rflpx.gif"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5297bf00, ftCreationTime.dwHighDateTime=0x1d5c497, ftLastAccessTime.dwLowDateTime=0xca69fe50, ftLastAccessTime.dwHighDateTime=0x1d5b9b9, ftLastWriteTime.dwLowDateTime=0xda707205, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x19eb2)) returned 1 [0061.041] SetErrorMode (uMode=0x0) returned 0x1 [0061.041] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\vfw_67rl 5rflpx.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\VfW_67RL 5rflPX.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\vfw_67rl 5rflpx.gif[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.042] SetErrorMode (uMode=0x1) returned 0x0 [0061.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\W3XiYmUciw.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\w3xiymuciw.mp4"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb05a3b50, ftCreationTime.dwHighDateTime=0x1d5ba6e, ftLastAccessTime.dwLowDateTime=0x79528a00, ftLastAccessTime.dwHighDateTime=0x1d5c45e, ftLastWriteTime.dwLowDateTime=0x79528a00, ftLastWriteTime.dwHighDateTime=0x1d5c45e, nFileSizeHigh=0x0, nFileSizeLow=0x889c)) returned 1 [0061.042] SetErrorMode (uMode=0x0) returned 0x1 [0061.042] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\W3XiYmUciw.mp4", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\W3XiYmUciw.mp4", lpFilePart=0x0) returned 0x26 [0061.042] SetErrorMode (uMode=0x1) returned 0x0 [0061.042] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\W3XiYmUciw.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\w3xiymuciw.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.043] SetErrorMode (uMode=0x0) returned 0x1 [0061.043] GetFileType (hFile=0x30c) returned 0x1 [0061.043] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-34866, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x6a [0061.043] CloseHandle (hObject=0x30c) returned 1 [0061.043] SetErrorMode (uMode=0x1) returned 0x0 [0061.043] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\W3XiYmUciw.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\w3xiymuciw.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.043] SetErrorMode (uMode=0x0) returned 0x1 [0061.043] GetFileType (hFile=0x30c) returned 0x1 [0061.043] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x889c [0061.046] CloseHandle (hObject=0x30c) returned 1 [0061.053] SetErrorMode (uMode=0x1) returned 0x0 [0061.053] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\W3XiYmUciw.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\w3xiymuciw.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.053] SetErrorMode (uMode=0x0) returned 0x1 [0061.053] GetFileType (hFile=0x30c) returned 0x1 [0061.053] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x6a [0061.055] CloseHandle (hObject=0x30c) returned 1 [0061.055] SetErrorMode (uMode=0x1) returned 0x0 [0061.055] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\W3XiYmUciw.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\w3xiymuciw.mp4"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb05a3b50, ftCreationTime.dwHighDateTime=0x1d5ba6e, ftLastAccessTime.dwLowDateTime=0x79528a00, ftLastAccessTime.dwHighDateTime=0x1d5c45e, ftLastWriteTime.dwLowDateTime=0xda72d30a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xc729)) returned 1 [0061.056] SetErrorMode (uMode=0x0) returned 0x1 [0061.056] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\W3XiYmUciw.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\w3xiymuciw.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\W3XiYmUciw.mp4[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\w3xiymuciw.mp4[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.059] SetErrorMode (uMode=0x1) returned 0x0 [0061.059] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\xkXLYODV5dZ9R.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\xkxlyodv5dz9r.pdf"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe254260, ftCreationTime.dwHighDateTime=0x1d5bb23, ftLastAccessTime.dwLowDateTime=0x61585b70, ftLastAccessTime.dwHighDateTime=0x1d5c1f0, ftLastWriteTime.dwLowDateTime=0x61585b70, ftLastWriteTime.dwHighDateTime=0x1d5c1f0, nFileSizeHigh=0x0, nFileSizeLow=0x7cea)) returned 1 [0061.060] SetErrorMode (uMode=0x0) returned 0x1 [0061.060] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\xkXLYODV5dZ9R.pdf", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\xkXLYODV5dZ9R.pdf", lpFilePart=0x0) returned 0x29 [0061.060] SetErrorMode (uMode=0x1) returned 0x0 [0061.060] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\xkXLYODV5dZ9R.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\xkxlyodv5dz9r.pdf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.060] SetErrorMode (uMode=0x0) returned 0x1 [0061.060] GetFileType (hFile=0x30c) returned 0x1 [0061.060] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-31941, lpDistanceToMoveHigh=0xf1e8a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e8a0*=0) returned 0x25 [0061.060] CloseHandle (hObject=0x30c) returned 1 [0061.060] SetErrorMode (uMode=0x1) returned 0x0 [0061.060] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\xkXLYODV5dZ9R.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\xkxlyodv5dz9r.pdf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.061] SetErrorMode (uMode=0x0) returned 0x1 [0061.061] GetFileType (hFile=0x30c) returned 0x1 [0061.061] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e858 | out: lpFileSizeHigh=0xf1e858*=0x0) returned 0x7cea [0061.063] CloseHandle (hObject=0x30c) returned 1 [0061.069] SetErrorMode (uMode=0x1) returned 0x0 [0061.069] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\xkXLYODV5dZ9R.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\xkxlyodv5dz9r.pdf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.069] SetErrorMode (uMode=0x0) returned 0x1 [0061.069] GetFileType (hFile=0x30c) returned 0x1 [0061.069] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5e0*=0) returned 0x25 [0061.071] CloseHandle (hObject=0x30c) returned 1 [0061.071] SetErrorMode (uMode=0x1) returned 0x0 [0061.071] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\xkXLYODV5dZ9R.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\xkxlyodv5dz9r.pdf"), fInfoLevelId=0x0, lpFileInformation=0xf1e710 | out: lpFileInformation=0xf1e710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe254260, ftCreationTime.dwHighDateTime=0x1d5bb23, ftLastAccessTime.dwLowDateTime=0x61585b70, ftLastAccessTime.dwHighDateTime=0x1d5c1f0, ftLastWriteTime.dwLowDateTime=0xda753745, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xb638)) returned 1 [0061.071] SetErrorMode (uMode=0x0) returned 0x1 [0061.071] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\xkXLYODV5dZ9R.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\xkxlyodv5dz9r.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\xkXLYODV5dZ9R.pdf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\xkxlyodv5dz9r.pdf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.155] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e220, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x2f [0061.155] SetErrorMode (uMode=0x1) returned 0x0 [0061.155] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\#DECRYPT MY FILES#.html" (normalized: "c:\\users\\fd1hvy\\desktop\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.156] GetFileType (hFile=0x30c) returned 0x1 [0061.156] SetErrorMode (uMode=0x0) returned 0x1 [0061.156] GetFileType (hFile=0x30c) returned 0x1 [0061.156] WriteFile (in: hFile=0x30c, lpBuffer=0x3184030*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e788, lpOverlapped=0x0 | out: lpBuffer=0x3184030*, lpNumberOfBytesWritten=0xf1e788*=0x1000, lpOverlapped=0x0) returned 1 [0061.157] WriteFile (in: hFile=0x30c, lpBuffer=0x3184030*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e788, lpOverlapped=0x0 | out: lpBuffer=0x3184030*, lpNumberOfBytesWritten=0xf1e788*=0x443, lpOverlapped=0x0) returned 1 [0061.158] CloseHandle (hObject=0x30c) returned 1 [0061.159] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0061.159] SetErrorMode (uMode=0x1) returned 0x0 [0061.159] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*", lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xda753745, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xda838675, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0061.159] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xda753745, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xda838675, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.160] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda838675, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xda838675, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xda838675, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0061.160] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8461af30, ftCreationTime.dwHighDateTime=0x1d5c480, ftLastAccessTime.dwLowDateTime=0xa6fcf660, ftLastAccessTime.dwHighDateTime=0x1d5ba00, ftLastWriteTime.dwLowDateTime=0xd72ec993, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x8e60, dwReserved0=0x0, dwReserved1=0x0, cFileName="9kqgbPRnCB3J.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="9KQGBP~1.PRT")) returned 1 [0061.160] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6da183a0, ftCreationTime.dwHighDateTime=0x1d5b653, ftLastAccessTime.dwLowDateTime=0xc750c5f0, ftLastAccessTime.dwHighDateTime=0x1d5c305, ftLastWriteTime.dwLowDateTime=0xd73ab4b1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xfaf1, dwReserved0=0x0, dwReserved1=0x0, cFileName="aJjJomlXtRW.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="AJJJOM~1.PRT")) returned 1 [0061.160] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5958240, ftCreationTime.dwHighDateTime=0x1d5ba70, ftLastAccessTime.dwLowDateTime=0x27d0bf0, ftLastAccessTime.dwHighDateTime=0x1d5c551, ftLastWriteTime.dwLowDateTime=0xd75c1309, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2c66, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN6-Pxxi.odt[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="AN6-PX~1.PRT")) returned 1 [0061.160] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c9f2a0, ftCreationTime.dwHighDateTime=0x1d5c588, ftLastAccessTime.dwLowDateTime=0xf92d8ae0, ftLastAccessTime.dwHighDateTime=0x1d5c3eb, ftLastWriteTime.dwLowDateTime=0xd77b1237, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1d685, dwReserved0=0x0, dwReserved1=0x0, cFileName="AOHiWgJ_sDNW 3pSUMTE.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="AOHIWG~1.PRT")) returned 1 [0061.160] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bba78e0, ftCreationTime.dwHighDateTime=0x1d5c2c9, ftLastAccessTime.dwLowDateTime=0xa6cf2780, ftLastAccessTime.dwHighDateTime=0x1d5b6fe, ftLastWriteTime.dwLowDateTime=0xd77fd99d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b615, dwReserved0=0x0, dwReserved1=0x0, cFileName="aWNU.m4a[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="AWNUM4~1.PRT")) returned 1 [0061.160] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a8e60a0, ftCreationTime.dwHighDateTime=0x1d5b6fe, ftLastAccessTime.dwLowDateTime=0x61ef4ce0, ftLastAccessTime.dwHighDateTime=0x1d5c143, ftLastWriteTime.dwLowDateTime=0xd7896285, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x61b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="d8U.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="D8UMP3~1.PRT")) returned 1 [0061.160] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xd78bc2ef, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x19b, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="")) returned 1 [0061.160] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5be4880, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xb5be4880, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xb3f48500, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="DP_Main.exe", cAlternateFileName="")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb321130, ftCreationTime.dwHighDateTime=0x1d5bc6f, ftLastAccessTime.dwLowDateTime=0x2df41ef0, ftLastAccessTime.dwHighDateTime=0x1d5b650, ftLastWriteTime.dwLowDateTime=0xd7d5ae49, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xa393, dwReserved0=0x0, dwReserved1=0x0, cFileName="FHxozOc_QKE.png[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="FHXOZO~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddb61640, ftCreationTime.dwHighDateTime=0x1d5b7d6, ftLastAccessTime.dwLowDateTime=0xe32d29b0, ftLastAccessTime.dwHighDateTime=0x1d5c1ef, ftLastWriteTime.dwLowDateTime=0xd7f4aa09, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xcbab, dwReserved0=0x0, dwReserved1=0x0, cFileName="HAMwLsfXQw AUyW.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="HAMWLS~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2c1610, ftCreationTime.dwHighDateTime=0x1d5bcf2, ftLastAccessTime.dwLowDateTime=0x9bda2d90, ftLastAccessTime.dwHighDateTime=0x1d5b8eb, ftLastWriteTime.dwLowDateTime=0xda28eb8a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1c8ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="hIB45OhCIGM_rvc7.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="HIB45O~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd44eb16f, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xd44eb16f, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd44eb16f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x0, dwReserved1=0x0, cFileName="id.dp", cAlternateFileName="")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3ec56a0, ftCreationTime.dwHighDateTime=0x1d5c41b, ftLastAccessTime.dwLowDateTime=0xe12ca6a0, ftLastAccessTime.dwHighDateTime=0x1d5c31f, ftLastWriteTime.dwLowDateTime=0xda2db09f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xd5ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="J6aDIHYLiICtbUWWpQ-a.pps[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="J6ADIH~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8384730, ftCreationTime.dwHighDateTime=0x1d5b609, ftLastAccessTime.dwLowDateTime=0xb2290bb0, ftLastAccessTime.dwHighDateTime=0x1d5b7ac, ftLastWriteTime.dwLowDateTime=0xda34d5d9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x17c61, dwReserved0=0x0, dwReserved1=0x0, cFileName="j86dCykR.csv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="J86DCY~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca2bee60, ftCreationTime.dwHighDateTime=0x1d5b80d, ftLastAccessTime.dwLowDateTime=0x199db790, ftLastAccessTime.dwHighDateTime=0x1d5b862, ftLastWriteTime.dwLowDateTime=0xda3c21d0, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1e784, dwReserved0=0x0, dwReserved1=0x0, cFileName="JPGBwvW6.mp4[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="JPGBWV~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa679aa00, ftCreationTime.dwHighDateTime=0x1d5b8aa, ftLastAccessTime.dwLowDateTime=0x42305c70, ftLastAccessTime.dwHighDateTime=0x1d5bc32, ftLastWriteTime.dwLowDateTime=0xda3e60f2, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x189f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsitEZYllFX-rJ5-5Bo.jpg[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="JSITEZ~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x201c1400, ftCreationTime.dwHighDateTime=0x1d5bcf8, ftLastAccessTime.dwLowDateTime=0xbba208a0, ftLastAccessTime.dwHighDateTime=0x1d5b85f, ftLastWriteTime.dwLowDateTime=0xda40c39e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xa186, dwReserved0=0x0, dwReserved1=0x0, cFileName="LYjoidXOr1cO RartGH6.doc[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="LYJOID~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdaec6f80, ftCreationTime.dwHighDateTime=0x1d5c209, ftLastAccessTime.dwLowDateTime=0xa6e8bd60, ftLastAccessTime.dwHighDateTime=0x1d5bcb9, ftLastWriteTime.dwLowDateTime=0xda458776, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1cf23, dwReserved0=0x0, dwReserved1=0x0, cFileName="mfI3M 25waSS25or.mkv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MFI3M2~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87a6c070, ftCreationTime.dwHighDateTime=0x1d5b67c, ftLastAccessTime.dwLowDateTime=0x563b39b0, ftLastAccessTime.dwHighDateTime=0x1d5ba11, ftLastWriteTime.dwLowDateTime=0xda4a4b02, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1dc3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="mUWrftnYC.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MUWRFT~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44dc4490, ftCreationTime.dwHighDateTime=0x1d5c0fe, ftLastAccessTime.dwLowDateTime=0xb14ab520, ftLastAccessTime.dwHighDateTime=0x1d5c54b, ftLastWriteTime.dwLowDateTime=0xda4f0f15, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1832e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NOXbRAUzS2JOG.mkv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="NOXBRA~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c770530, ftCreationTime.dwHighDateTime=0x1d5bffc, ftLastAccessTime.dwLowDateTime=0x2d920310, ftLastAccessTime.dwHighDateTime=0x1d5c5f9, ftLastWriteTime.dwLowDateTime=0xda5182b7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2e80, dwReserved0=0x0, dwReserved1=0x0, cFileName="OX8GrNcx.odt[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="OX8GRN~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa70bd220, ftCreationTime.dwHighDateTime=0x1d5bfa0, ftLastAccessTime.dwLowDateTime=0x6daeeaa0, ftLastAccessTime.dwHighDateTime=0x1d5bcb5, ftLastWriteTime.dwLowDateTime=0xda53d624, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x11028, dwReserved0=0x0, dwReserved1=0x0, cFileName="P1QsDkkSO.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="P1QSDK~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7476a870, ftCreationTime.dwHighDateTime=0x1d5b650, ftLastAccessTime.dwLowDateTime=0xf148fd40, ftLastAccessTime.dwHighDateTime=0x1d5bc6c, ftLastWriteTime.dwLowDateTime=0xda5afd10, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1c7b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="PKWu5Wtief7lpBuOI5Rq.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="PKWU5W~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7178a40, ftCreationTime.dwHighDateTime=0x1d5b7b7, ftLastAccessTime.dwLowDateTime=0xa27f9b30, ftLastAccessTime.dwHighDateTime=0x1d5c00c, ftLastWriteTime.dwLowDateTime=0xda648672, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xebc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="S0JM6N_kv2iT0Y.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="S0JM6N~1.PRT")) returned 1 [0061.161] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea07ee0, ftCreationTime.dwHighDateTime=0x1d5c385, ftLastAccessTime.dwLowDateTime=0x86109470, ftLastAccessTime.dwHighDateTime=0x1d5b69a, ftLastWriteTime.dwLowDateTime=0x86109470, ftLastWriteTime.dwHighDateTime=0x1d5b69a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="URfyazp6YCOme0Ken", cAlternateFileName="URFYAZ~1")) returned 1 [0061.162] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5297bf00, ftCreationTime.dwHighDateTime=0x1d5c497, ftLastAccessTime.dwLowDateTime=0xca69fe50, ftLastAccessTime.dwHighDateTime=0x1d5b9b9, ftLastWriteTime.dwLowDateTime=0xda707205, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x19eb2, dwReserved0=0x0, dwReserved1=0x0, cFileName="VfW_67RL 5rflPX.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="VFW_67~1.PRT")) returned 1 [0061.162] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb05a3b50, ftCreationTime.dwHighDateTime=0x1d5ba6e, ftLastAccessTime.dwLowDateTime=0x79528a00, ftLastAccessTime.dwHighDateTime=0x1d5c45e, ftLastWriteTime.dwLowDateTime=0xda72d30a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xc729, dwReserved0=0x0, dwReserved1=0x0, cFileName="W3XiYmUciw.mp4[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="W3XIYM~1.PRT")) returned 1 [0061.162] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe254260, ftCreationTime.dwHighDateTime=0x1d5bb23, ftLastAccessTime.dwLowDateTime=0x61585b70, ftLastAccessTime.dwHighDateTime=0x1d5c1f0, ftLastWriteTime.dwLowDateTime=0xda753745, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xb638, dwReserved0=0x0, dwReserved1=0x0, cFileName="xkXLYODV5dZ9R.pdf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="XKXLYO~1.PRT")) returned 1 [0061.162] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5c0 | out: lpFindFileData=0xf1e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe254260, ftCreationTime.dwHighDateTime=0x1d5bb23, ftLastAccessTime.dwLowDateTime=0x61585b70, ftLastAccessTime.dwHighDateTime=0x1d5c1f0, ftLastWriteTime.dwLowDateTime=0xda753745, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xb638, dwReserved0=0x0, dwReserved1=0x0, cFileName="xkXLYODV5dZ9R.pdf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="XKXLYO~1.PRT")) returned 0 [0061.162] FindClose (in: hFindFile=0x10b3770 | out: hFindFile=0x10b3770) returned 1 [0061.162] SetErrorMode (uMode=0x0) returned 0x1 [0061.162] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0061.162] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0061.162] CoTaskMemFree (pv=0x10bd8a0) [0061.162] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0061.162] CoCreateGuid (in: pguid=0xf1e790 | out: pguid=0xf1e790*(Data1=0x39c6f3f5, Data2=0xed21, Data3=0x4259, Data4=([0]=0xbb, [1]=0x63, [2]=0x3c, [3]=0xa8, [4]=0x3, [5]=0xc7, [6]=0xc5, [7]=0x25))) returned 0x0 [0061.163] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0061.163] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0061.163] CoTaskMemFree (pv=0x10bd680) [0061.163] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0061.163] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken", lpFilePart=0x0) returned 0x29 [0061.163] SetErrorMode (uMode=0x1) returned 0x0 [0061.163] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\*.*", lpFindFileData=0xf1e520 | out: lpFindFileData=0xf1e520*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea07ee0, ftCreationTime.dwHighDateTime=0x1d5c385, ftLastAccessTime.dwLowDateTime=0x86109470, ftLastAccessTime.dwHighDateTime=0x1d5b69a, ftLastWriteTime.dwLowDateTime=0x86109470, ftLastWriteTime.dwHighDateTime=0x1d5b69a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea07ee0, ftCreationTime.dwHighDateTime=0x1d5c385, ftLastAccessTime.dwLowDateTime=0x86109470, ftLastAccessTime.dwHighDateTime=0x1d5b69a, ftLastWriteTime.dwLowDateTime=0x86109470, ftLastWriteTime.dwHighDateTime=0x1d5b69a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa453f8d0, ftCreationTime.dwHighDateTime=0x1d5bca5, ftLastAccessTime.dwLowDateTime=0xb6974e10, ftLastAccessTime.dwHighDateTime=0x1d5c2eb, ftLastWriteTime.dwLowDateTime=0xb6974e10, ftLastWriteTime.dwHighDateTime=0x1d5c2eb, nFileSizeHigh=0x0, nFileSizeLow=0xb27a, dwReserved0=0x0, dwReserved1=0x0, cFileName="3BhghfGOrqhAC_eQQ6Od.mp3", cAlternateFileName="3BHGHF~1.MP3")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9a2b20, ftCreationTime.dwHighDateTime=0x1d5c4ea, ftLastAccessTime.dwLowDateTime=0x835b5c70, ftLastAccessTime.dwHighDateTime=0x1d5bed2, ftLastWriteTime.dwLowDateTime=0x835b5c70, ftLastWriteTime.dwHighDateTime=0x1d5bed2, nFileSizeHigh=0x0, nFileSizeLow=0x6d57, dwReserved0=0x0, dwReserved1=0x0, cFileName="3ia1.avi", cAlternateFileName="")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd96d7730, ftCreationTime.dwHighDateTime=0x1d5b601, ftLastAccessTime.dwLowDateTime=0xaff33410, ftLastAccessTime.dwHighDateTime=0x1d5b919, ftLastWriteTime.dwLowDateTime=0xaff33410, ftLastWriteTime.dwHighDateTime=0x1d5b919, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="euwZWkKHGolY", cAlternateFileName="EUWZWK~1")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x153b93e0, ftCreationTime.dwHighDateTime=0x1d5c08f, ftLastAccessTime.dwLowDateTime=0xd97e1ac0, ftLastAccessTime.dwHighDateTime=0x1d5c530, ftLastWriteTime.dwLowDateTime=0xd97e1ac0, ftLastWriteTime.dwHighDateTime=0x1d5c530, nFileSizeHigh=0x0, nFileSizeLow=0xbafd, dwReserved0=0x0, dwReserved1=0x0, cFileName="h_aPp4Z1 qH.pptx", cAlternateFileName="H_APP4~1.PPT")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6708f690, ftCreationTime.dwHighDateTime=0x1d5b95f, ftLastAccessTime.dwLowDateTime=0x8a011600, ftLastAccessTime.dwHighDateTime=0x1d5be91, ftLastWriteTime.dwLowDateTime=0x8a011600, ftLastWriteTime.dwHighDateTime=0x1d5be91, nFileSizeHigh=0x0, nFileSizeLow=0xc448, dwReserved0=0x0, dwReserved1=0x0, cFileName="LRc4IZ.pps", cAlternateFileName="")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x882674b0, ftCreationTime.dwHighDateTime=0x1d5c396, ftLastAccessTime.dwLowDateTime=0xb23d5460, ftLastAccessTime.dwHighDateTime=0x1d5bcf9, ftLastWriteTime.dwLowDateTime=0xb23d5460, ftLastWriteTime.dwHighDateTime=0x1d5bcf9, nFileSizeHigh=0x0, nFileSizeLow=0xfb8b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pfsago0l0hoTkQMLUo.wav", cAlternateFileName="PFSAGO~1.WAV")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x614aad20, ftCreationTime.dwHighDateTime=0x1d5bffe, ftLastAccessTime.dwLowDateTime=0xc4b275a0, ftLastAccessTime.dwHighDateTime=0x1d5c25b, ftLastWriteTime.dwLowDateTime=0xc4b275a0, ftLastWriteTime.dwHighDateTime=0x1d5c25b, nFileSizeHigh=0x0, nFileSizeLow=0x101f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="RC P.bmp", cAlternateFileName="RCP~1.BMP")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44d765b0, ftCreationTime.dwHighDateTime=0x1d5c437, ftLastAccessTime.dwLowDateTime=0x25e61080, ftLastAccessTime.dwHighDateTime=0x1d5c4ef, ftLastWriteTime.dwLowDateTime=0x25e61080, ftLastWriteTime.dwHighDateTime=0x1d5c4ef, nFileSizeHigh=0x0, nFileSizeLow=0x83fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="s52eN1rLpoTGl.bmp", cAlternateFileName="S52EN1~1.BMP")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0b24690, ftCreationTime.dwHighDateTime=0x1d5b8be, ftLastAccessTime.dwLowDateTime=0x6eaf1540, ftLastAccessTime.dwHighDateTime=0x1d5c5b8, ftLastWriteTime.dwLowDateTime=0x6eaf1540, ftLastWriteTime.dwHighDateTime=0x1d5c5b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tint", cAlternateFileName="")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b749e0, ftCreationTime.dwHighDateTime=0x1d5b962, ftLastAccessTime.dwLowDateTime=0xb44be1b0, ftLastAccessTime.dwHighDateTime=0x1d5c1de, ftLastWriteTime.dwLowDateTime=0xb44be1b0, ftLastWriteTime.dwHighDateTime=0x1d5c1de, nFileSizeHigh=0x0, nFileSizeLow=0x1743a, dwReserved0=0x0, dwReserved1=0x0, cFileName="YkNd73RaLNAI.swf", cAlternateFileName="YKND73~1.SWF")) returned 1 [0061.164] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e530 | out: lpFindFileData=0xf1e530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b749e0, ftCreationTime.dwHighDateTime=0x1d5b962, ftLastAccessTime.dwLowDateTime=0xb44be1b0, ftLastAccessTime.dwHighDateTime=0x1d5c1de, ftLastWriteTime.dwLowDateTime=0xb44be1b0, ftLastWriteTime.dwHighDateTime=0x1d5c1de, nFileSizeHigh=0x0, nFileSizeLow=0x1743a, dwReserved0=0x0, dwReserved1=0x0, cFileName="YkNd73RaLNAI.swf", cAlternateFileName="YKND73~1.SWF")) returned 0 [0061.164] FindClose (in: hFindFile=0x10b3a10 | out: hFindFile=0x10b3a10) returned 1 [0061.164] SetErrorMode (uMode=0x0) returned 0x1 [0061.165] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", nBufferLength=0x105, lpBuffer=0xf1e450, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", lpFilePart=0x0) returned 0x42 [0061.165] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", lpFilePart=0x0) returned 0x42 [0061.165] SetErrorMode (uMode=0x1) returned 0x0 [0061.165] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3bhghfgorqhac_eqq6od.mp3"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa453f8d0, ftCreationTime.dwHighDateTime=0x1d5bca5, ftLastAccessTime.dwLowDateTime=0xb6974e10, ftLastAccessTime.dwHighDateTime=0x1d5c2eb, ftLastWriteTime.dwLowDateTime=0xb6974e10, ftLastWriteTime.dwHighDateTime=0x1d5c2eb, nFileSizeHigh=0x0, nFileSizeLow=0xb27a)) returned 1 [0061.166] SetErrorMode (uMode=0x0) returned 0x1 [0061.166] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", lpFilePart=0x0) returned 0x42 [0061.166] SetErrorMode (uMode=0x1) returned 0x0 [0061.166] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3bhghfgorqhac_eqq6od.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.166] GetFileType (hFile=0x30c) returned 0x1 [0061.166] SetErrorMode (uMode=0x0) returned 0x1 [0061.166] GetFileType (hFile=0x30c) returned 0x1 [0061.166] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45630, lpDistanceToMoveHigh=0xf1e7e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7e0*=0) returned 0x3c [0061.166] ReadFile (in: hFile=0x30c, lpBuffer=0x3190990, nNumberOfBytesToRead=0xb23e, lpNumberOfBytesRead=0xf1e678, lpOverlapped=0x0 | out: lpBuffer=0x3190990*, lpNumberOfBytesRead=0xf1e678*=0xb23e, lpOverlapped=0x0) returned 1 [0061.167] CloseHandle (hObject=0x30c) returned 1 [0061.167] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", lpFilePart=0x0) returned 0x42 [0061.167] SetErrorMode (uMode=0x1) returned 0x0 [0061.167] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3bhghfgorqhac_eqq6od.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.167] GetFileType (hFile=0x30c) returned 0x1 [0061.167] SetErrorMode (uMode=0x0) returned 0x1 [0061.167] GetFileType (hFile=0x30c) returned 0x1 [0061.167] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e798 | out: lpFileSizeHigh=0xf1e798*=0x0) returned 0xb27a [0061.167] SetFilePointer (in: hFile=0x30c, lDistanceToMove=60, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x3c [0061.167] SetEndOfFile (hFile=0x30c) returned 1 [0061.170] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x0 [0061.170] CloseHandle (hObject=0x30c) returned 1 [0061.363] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", nBufferLength=0x105, lpBuffer=0xf1e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", lpFilePart=0x0) returned 0x42 [0061.363] SetErrorMode (uMode=0x1) returned 0x0 [0061.363] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3bhghfgorqhac_eqq6od.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.363] GetFileType (hFile=0x30c) returned 0x1 [0061.363] SetErrorMode (uMode=0x0) returned 0x1 [0061.363] GetFileType (hFile=0x30c) returned 0x1 [0061.363] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e520*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e520*=0) returned 0x3c [0061.370] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.371] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.371] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.371] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.372] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.372] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.372] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.373] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.373] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.373] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.373] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.374] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.374] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.374] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.374] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.375] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.375] WriteFile (in: hFile=0x30c, lpBuffer=0x2ffe7f8*, nNumberOfBytesToWrite=0x413, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2ffe7f8*, lpNumberOfBytesWritten=0xf1e618*=0x413, lpOverlapped=0x0) returned 1 [0061.375] CloseHandle (hObject=0x30c) returned 1 [0061.377] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", lpFilePart=0x0) returned 0x42 [0061.377] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x72 [0061.378] SetErrorMode (uMode=0x1) returned 0x0 [0061.378] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3bhghfgorqhac_eqq6od.mp3"), fInfoLevelId=0x0, lpFileInformation=0xf1e650 | out: lpFileInformation=0xf1e650*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa453f8d0, ftCreationTime.dwHighDateTime=0x1d5bca5, ftLastAccessTime.dwLowDateTime=0xb6974e10, ftLastAccessTime.dwHighDateTime=0x1d5c2eb, ftLastWriteTime.dwLowDateTime=0xdaa4e3c7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1044f)) returned 1 [0061.378] SetErrorMode (uMode=0x0) returned 0x1 [0061.378] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3bhghfgorqhac_eqq6od.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3bhghfgorqhac_eqq6od.mp3[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.378] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3", lpFilePart=0x0) returned 0x42 [0061.378] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3BhghfGOrqhAC_eQQ6Od.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3bhghfgorqhac_eqq6od.mp3")) returned 0 [0061.378] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", nBufferLength=0x105, lpBuffer=0xf1e450, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", lpFilePart=0x0) returned 0x32 [0061.379] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", lpFilePart=0x0) returned 0x32 [0061.379] SetErrorMode (uMode=0x1) returned 0x0 [0061.379] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3ia1.avi"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9a2b20, ftCreationTime.dwHighDateTime=0x1d5c4ea, ftLastAccessTime.dwLowDateTime=0x835b5c70, ftLastAccessTime.dwHighDateTime=0x1d5bed2, ftLastWriteTime.dwLowDateTime=0x835b5c70, ftLastWriteTime.dwHighDateTime=0x1d5bed2, nFileSizeHigh=0x0, nFileSizeLow=0x6d57)) returned 1 [0061.379] SetErrorMode (uMode=0x0) returned 0x1 [0061.379] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", lpFilePart=0x0) returned 0x32 [0061.379] SetErrorMode (uMode=0x1) returned 0x0 [0061.379] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3ia1.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.379] GetFileType (hFile=0x30c) returned 0x1 [0061.379] SetErrorMode (uMode=0x0) returned 0x1 [0061.379] GetFileType (hFile=0x30c) returned 0x1 [0061.379] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-27963, lpDistanceToMoveHigh=0xf1e7e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7e0*=0) returned 0x1c [0061.379] ReadFile (in: hFile=0x30c, lpBuffer=0x3000858, nNumberOfBytesToRead=0x6d3b, lpNumberOfBytesRead=0xf1e678, lpOverlapped=0x0 | out: lpBuffer=0x3000858*, lpNumberOfBytesRead=0xf1e678*=0x6d3b, lpOverlapped=0x0) returned 1 [0061.380] CloseHandle (hObject=0x30c) returned 1 [0061.380] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", lpFilePart=0x0) returned 0x32 [0061.380] SetErrorMode (uMode=0x1) returned 0x0 [0061.380] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3ia1.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.380] GetFileType (hFile=0x30c) returned 0x1 [0061.380] SetErrorMode (uMode=0x0) returned 0x1 [0061.380] GetFileType (hFile=0x30c) returned 0x1 [0061.380] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e798 | out: lpFileSizeHigh=0xf1e798*=0x0) returned 0x6d57 [0061.380] SetFilePointer (in: hFile=0x30c, lDistanceToMove=28, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x1c [0061.380] SetEndOfFile (hFile=0x30c) returned 1 [0061.382] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x0 [0061.382] CloseHandle (hObject=0x30c) returned 1 [0061.387] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", nBufferLength=0x105, lpBuffer=0xf1e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", lpFilePart=0x0) returned 0x32 [0061.387] SetErrorMode (uMode=0x1) returned 0x0 [0061.387] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3ia1.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.387] GetFileType (hFile=0x30c) returned 0x1 [0061.387] SetErrorMode (uMode=0x0) returned 0x1 [0061.387] GetFileType (hFile=0x30c) returned 0x1 [0061.387] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e520*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e520*=0) returned 0x1c [0061.388] WriteFile (in: hFile=0x30c, lpBuffer=0x30634c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30634c8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.472] WriteFile (in: hFile=0x30c, lpBuffer=0x30634c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30634c8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.472] WriteFile (in: hFile=0x30c, lpBuffer=0x30634c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30634c8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.472] WriteFile (in: hFile=0x30c, lpBuffer=0x30634c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30634c8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.473] WriteFile (in: hFile=0x30c, lpBuffer=0x30634c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30634c8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.473] WriteFile (in: hFile=0x30c, lpBuffer=0x30634c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30634c8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.473] WriteFile (in: hFile=0x30c, lpBuffer=0x30634c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30634c8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.473] WriteFile (in: hFile=0x30c, lpBuffer=0x30634c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30634c8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.474] WriteFile (in: hFile=0x30c, lpBuffer=0x30634c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30634c8*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.474] WriteFile (in: hFile=0x30c, lpBuffer=0x30634c8*, nNumberOfBytesToWrite=0xf6b, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30634c8*, lpNumberOfBytesWritten=0xf1e618*=0xf6b, lpOverlapped=0x0) returned 1 [0061.474] CloseHandle (hObject=0x30c) returned 1 [0061.475] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", lpFilePart=0x0) returned 0x32 [0061.475] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x62 [0061.476] SetErrorMode (uMode=0x1) returned 0x0 [0061.476] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3ia1.avi"), fInfoLevelId=0x0, lpFileInformation=0xf1e650 | out: lpFileInformation=0xf1e650*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9a2b20, ftCreationTime.dwHighDateTime=0x1d5c4ea, ftLastAccessTime.dwLowDateTime=0x835b5c70, ftLastAccessTime.dwHighDateTime=0x1d5bed2, ftLastWriteTime.dwLowDateTime=0xdab333f5, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x9f87)) returned 1 [0061.476] SetErrorMode (uMode=0x0) returned 0x1 [0061.476] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3ia1.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3ia1.avi[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.476] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi", lpFilePart=0x0) returned 0x32 [0061.476] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\3ia1.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\3ia1.avi")) returned 0 [0061.476] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", nBufferLength=0x105, lpBuffer=0xf1e450, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", lpFilePart=0x0) returned 0x3a [0061.477] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", lpFilePart=0x0) returned 0x3a [0061.477] SetErrorMode (uMode=0x1) returned 0x0 [0061.477] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\h_app4z1 qh.pptx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x153b93e0, ftCreationTime.dwHighDateTime=0x1d5c08f, ftLastAccessTime.dwLowDateTime=0xd97e1ac0, ftLastAccessTime.dwHighDateTime=0x1d5c530, ftLastWriteTime.dwLowDateTime=0xd97e1ac0, ftLastWriteTime.dwHighDateTime=0x1d5c530, nFileSizeHigh=0x0, nFileSizeLow=0xbafd)) returned 1 [0061.477] SetErrorMode (uMode=0x0) returned 0x1 [0061.477] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", lpFilePart=0x0) returned 0x3a [0061.477] SetErrorMode (uMode=0x1) returned 0x0 [0061.477] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\h_app4z1 qh.pptx"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.477] GetFileType (hFile=0x30c) returned 0x1 [0061.477] SetErrorMode (uMode=0x0) returned 0x1 [0061.477] GetFileType (hFile=0x30c) returned 0x1 [0061.477] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-47853, lpDistanceToMoveHigh=0xf1e7e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7e0*=0) returned 0x10 [0061.477] ReadFile (in: hFile=0x30c, lpBuffer=0x30654d8, nNumberOfBytesToRead=0xbaed, lpNumberOfBytesRead=0xf1e678, lpOverlapped=0x0 | out: lpBuffer=0x30654d8*, lpNumberOfBytesRead=0xf1e678*=0xbaed, lpOverlapped=0x0) returned 1 [0061.478] CloseHandle (hObject=0x30c) returned 1 [0061.478] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", lpFilePart=0x0) returned 0x3a [0061.478] SetErrorMode (uMode=0x1) returned 0x0 [0061.478] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\h_app4z1 qh.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.478] GetFileType (hFile=0x30c) returned 0x1 [0061.478] SetErrorMode (uMode=0x0) returned 0x1 [0061.478] GetFileType (hFile=0x30c) returned 0x1 [0061.478] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e798 | out: lpFileSizeHigh=0xf1e798*=0x0) returned 0xbafd [0061.478] SetFilePointer (in: hFile=0x30c, lDistanceToMove=16, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x10 [0061.478] SetEndOfFile (hFile=0x30c) returned 1 [0061.480] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x0 [0061.480] CloseHandle (hObject=0x30c) returned 1 [0061.492] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", nBufferLength=0x105, lpBuffer=0xf1e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", lpFilePart=0x0) returned 0x3a [0061.492] SetErrorMode (uMode=0x1) returned 0x0 [0061.492] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\h_app4z1 qh.pptx"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.492] GetFileType (hFile=0x30c) returned 0x1 [0061.492] SetErrorMode (uMode=0x0) returned 0x1 [0061.492] GetFileType (hFile=0x30c) returned 0x1 [0061.493] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e520*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e520*=0) returned 0x10 [0061.493] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.494] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.494] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.494] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.494] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.495] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.495] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.495] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.495] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.496] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.496] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.496] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.496] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.497] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.497] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.497] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.497] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5e8, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e5e8*=0x1000, lpOverlapped=0x0) returned 1 [0061.497] WriteFile (in: hFile=0x30c, lpBuffer=0x30ce0c0*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x30ce0c0*, lpNumberOfBytesWritten=0xf1e618*=0xbf, lpOverlapped=0x0) returned 1 [0061.498] CloseHandle (hObject=0x30c) returned 1 [0061.500] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", lpFilePart=0x0) returned 0x3a [0061.500] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x6a [0061.500] SetErrorMode (uMode=0x1) returned 0x0 [0061.500] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\h_app4z1 qh.pptx"), fInfoLevelId=0x0, lpFileInformation=0xf1e650 | out: lpFileInformation=0xf1e650*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x153b93e0, ftCreationTime.dwHighDateTime=0x1d5c08f, ftLastAccessTime.dwLowDateTime=0xd97e1ac0, ftLastAccessTime.dwHighDateTime=0x1d5c530, ftLastWriteTime.dwLowDateTime=0xdab7f800, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x110cf)) returned 1 [0061.500] SetErrorMode (uMode=0x0) returned 0x1 [0061.500] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\h_app4z1 qh.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\h_app4z1 qh.pptx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.501] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx", lpFilePart=0x0) returned 0x3a [0061.501] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\h_aPp4Z1 qH.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\h_app4z1 qh.pptx")) returned 0 [0061.501] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", nBufferLength=0x105, lpBuffer=0xf1e450, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", lpFilePart=0x0) returned 0x34 [0061.501] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", lpFilePart=0x0) returned 0x34 [0061.501] SetErrorMode (uMode=0x1) returned 0x0 [0061.501] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\lrc4iz.pps"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6708f690, ftCreationTime.dwHighDateTime=0x1d5b95f, ftLastAccessTime.dwLowDateTime=0x8a011600, ftLastAccessTime.dwHighDateTime=0x1d5be91, ftLastWriteTime.dwLowDateTime=0x8a011600, ftLastWriteTime.dwHighDateTime=0x1d5be91, nFileSizeHigh=0x0, nFileSizeLow=0xc448)) returned 1 [0061.501] SetErrorMode (uMode=0x0) returned 0x1 [0061.501] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", lpFilePart=0x0) returned 0x34 [0061.501] SetErrorMode (uMode=0x1) returned 0x0 [0061.501] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\lrc4iz.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.501] GetFileType (hFile=0x30c) returned 0x1 [0061.502] SetErrorMode (uMode=0x0) returned 0x1 [0061.502] GetFileType (hFile=0x30c) returned 0x1 [0061.502] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-50193, lpDistanceToMoveHigh=0xf1e7e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7e0*=0) returned 0x37 [0061.502] ReadFile (in: hFile=0x30c, lpBuffer=0x30d00f0, nNumberOfBytesToRead=0xc411, lpNumberOfBytesRead=0xf1e678, lpOverlapped=0x0 | out: lpBuffer=0x30d00f0*, lpNumberOfBytesRead=0xf1e678*=0xc411, lpOverlapped=0x0) returned 1 [0061.502] CloseHandle (hObject=0x30c) returned 1 [0061.502] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", lpFilePart=0x0) returned 0x34 [0061.502] SetErrorMode (uMode=0x1) returned 0x0 [0061.502] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\lrc4iz.pps"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.502] GetFileType (hFile=0x30c) returned 0x1 [0061.502] SetErrorMode (uMode=0x0) returned 0x1 [0061.503] GetFileType (hFile=0x30c) returned 0x1 [0061.503] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e798 | out: lpFileSizeHigh=0xf1e798*=0x0) returned 0xc448 [0061.503] SetFilePointer (in: hFile=0x30c, lDistanceToMove=55, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x37 [0061.503] SetEndOfFile (hFile=0x30c) returned 1 [0061.505] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x0 [0061.505] CloseHandle (hObject=0x30c) returned 1 [0061.564] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", nBufferLength=0x105, lpBuffer=0xf1e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", lpFilePart=0x0) returned 0x34 [0061.564] SetErrorMode (uMode=0x1) returned 0x0 [0061.564] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\lrc4iz.pps"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.565] GetFileType (hFile=0x30c) returned 0x1 [0061.565] SetErrorMode (uMode=0x0) returned 0x1 [0061.565] GetFileType (hFile=0x30c) returned 0x1 [0061.565] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e520*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e520*=0) returned 0x37 [0061.565] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.566] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.566] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.566] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.567] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.567] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.567] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.567] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.568] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.568] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.568] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.568] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.568] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.569] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.569] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.569] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.569] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.570] WriteFile (in: hFile=0x30c, lpBuffer=0x313c248*, nNumberOfBytesToWrite=0xe13, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x313c248*, lpNumberOfBytesWritten=0xf1e618*=0xe13, lpOverlapped=0x0) returned 1 [0061.570] CloseHandle (hObject=0x30c) returned 1 [0061.572] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", lpFilePart=0x0) returned 0x34 [0061.572] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x64 [0061.572] SetErrorMode (uMode=0x1) returned 0x0 [0061.572] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\lrc4iz.pps"), fInfoLevelId=0x0, lpFileInformation=0xf1e650 | out: lpFileInformation=0xf1e650*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6708f690, ftCreationTime.dwHighDateTime=0x1d5b95f, ftLastAccessTime.dwLowDateTime=0x8a011600, ftLastAccessTime.dwHighDateTime=0x1d5be91, ftLastWriteTime.dwLowDateTime=0xdac18205, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x11e4a)) returned 1 [0061.572] SetErrorMode (uMode=0x0) returned 0x1 [0061.572] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\lrc4iz.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\lrc4iz.pps[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.572] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps", lpFilePart=0x0) returned 0x34 [0061.572] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\LRc4IZ.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\lrc4iz.pps")) returned 0 [0061.573] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", nBufferLength=0x105, lpBuffer=0xf1e450, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", lpFilePart=0x0) returned 0x40 [0061.573] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", lpFilePart=0x0) returned 0x40 [0061.573] SetErrorMode (uMode=0x1) returned 0x0 [0061.573] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\pfsago0l0hotkqmluo.wav"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x882674b0, ftCreationTime.dwHighDateTime=0x1d5c396, ftLastAccessTime.dwLowDateTime=0xb23d5460, ftLastAccessTime.dwHighDateTime=0x1d5bcf9, ftLastWriteTime.dwLowDateTime=0xb23d5460, ftLastWriteTime.dwHighDateTime=0x1d5bcf9, nFileSizeHigh=0x0, nFileSizeLow=0xfb8b)) returned 1 [0061.573] SetErrorMode (uMode=0x0) returned 0x1 [0061.573] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", lpFilePart=0x0) returned 0x40 [0061.573] SetErrorMode (uMode=0x1) returned 0x0 [0061.573] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\pfsago0l0hotkqmluo.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.573] GetFileType (hFile=0x30c) returned 0x1 [0061.573] SetErrorMode (uMode=0x0) returned 0x1 [0061.573] GetFileType (hFile=0x30c) returned 0x1 [0061.573] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-64350, lpDistanceToMoveHigh=0xf1e7e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7e0*=0) returned 0x2d [0061.573] ReadFile (in: hFile=0x30c, lpBuffer=0x313e2a0, nNumberOfBytesToRead=0xfb5e, lpNumberOfBytesRead=0xf1e678, lpOverlapped=0x0 | out: lpBuffer=0x313e2a0*, lpNumberOfBytesRead=0xf1e678*=0xfb5e, lpOverlapped=0x0) returned 1 [0061.574] CloseHandle (hObject=0x30c) returned 1 [0061.574] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", lpFilePart=0x0) returned 0x40 [0061.574] SetErrorMode (uMode=0x1) returned 0x0 [0061.574] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\pfsago0l0hotkqmluo.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.574] GetFileType (hFile=0x30c) returned 0x1 [0061.574] SetErrorMode (uMode=0x0) returned 0x1 [0061.574] GetFileType (hFile=0x30c) returned 0x1 [0061.574] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e798 | out: lpFileSizeHigh=0xf1e798*=0x0) returned 0xfb8b [0061.574] SetFilePointer (in: hFile=0x30c, lDistanceToMove=45, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x2d [0061.574] SetEndOfFile (hFile=0x30c) returned 1 [0061.577] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x0 [0061.577] CloseHandle (hObject=0x30c) returned 1 [0061.592] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", nBufferLength=0x105, lpBuffer=0xf1e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", lpFilePart=0x0) returned 0x40 [0061.592] SetErrorMode (uMode=0x1) returned 0x0 [0061.592] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\pfsago0l0hotkqmluo.wav"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.592] GetFileType (hFile=0x30c) returned 0x1 [0061.592] SetErrorMode (uMode=0x0) returned 0x1 [0061.592] GetFileType (hFile=0x30c) returned 0x1 [0061.592] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e520*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e520*=0) returned 0x2d [0061.593] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.593] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.594] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.594] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.594] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.594] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.594] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.595] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.595] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.595] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.595] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.595] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.596] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.596] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.596] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.596] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.596] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.596] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.597] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.597] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.597] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.597] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.597] WriteFile (in: hFile=0x30c, lpBuffer=0x31c2a00*, nNumberOfBytesToWrite=0xebf, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x31c2a00*, lpNumberOfBytesWritten=0xf1e618*=0xebf, lpOverlapped=0x0) returned 1 [0061.597] CloseHandle (hObject=0x30c) returned 1 [0061.599] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", lpFilePart=0x0) returned 0x40 [0061.600] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x70 [0061.600] SetErrorMode (uMode=0x1) returned 0x0 [0061.600] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\pfsago0l0hotkqmluo.wav"), fInfoLevelId=0x0, lpFileInformation=0xf1e650 | out: lpFileInformation=0xf1e650*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x882674b0, ftCreationTime.dwHighDateTime=0x1d5c396, ftLastAccessTime.dwLowDateTime=0xb23d5460, ftLastAccessTime.dwHighDateTime=0x1d5bcf9, ftLastWriteTime.dwLowDateTime=0xdac64704, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x16eec)) returned 1 [0061.600] SetErrorMode (uMode=0x0) returned 0x1 [0061.600] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\pfsago0l0hotkqmluo.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\pfsago0l0hotkqmluo.wav[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.601] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav", lpFilePart=0x0) returned 0x40 [0061.601] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\Pfsago0l0hoTkQMLUo.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\pfsago0l0hotkqmluo.wav")) returned 0 [0061.601] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", nBufferLength=0x105, lpBuffer=0xf1e450, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", lpFilePart=0x0) returned 0x32 [0061.601] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", lpFilePart=0x0) returned 0x32 [0061.601] SetErrorMode (uMode=0x1) returned 0x0 [0061.601] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\rc p.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x614aad20, ftCreationTime.dwHighDateTime=0x1d5bffe, ftLastAccessTime.dwLowDateTime=0xc4b275a0, ftLastAccessTime.dwHighDateTime=0x1d5c25b, ftLastWriteTime.dwLowDateTime=0xc4b275a0, ftLastWriteTime.dwHighDateTime=0x1d5c25b, nFileSizeHigh=0x0, nFileSizeLow=0x101f4)) returned 1 [0061.601] SetErrorMode (uMode=0x0) returned 0x1 [0061.601] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", lpFilePart=0x0) returned 0x32 [0061.601] SetErrorMode (uMode=0x1) returned 0x0 [0061.601] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\rc p.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.601] GetFileType (hFile=0x30c) returned 0x1 [0061.601] SetErrorMode (uMode=0x0) returned 0x1 [0061.602] GetFileType (hFile=0x30c) returned 0x1 [0061.602] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-65988, lpDistanceToMoveHigh=0xf1e7e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7e0*=0) returned 0x30 [0061.602] ReadFile (in: hFile=0x30c, lpBuffer=0x31c4a60, nNumberOfBytesToRead=0x101c4, lpNumberOfBytesRead=0xf1e678, lpOverlapped=0x0 | out: lpBuffer=0x31c4a60*, lpNumberOfBytesRead=0xf1e678*=0x101c4, lpOverlapped=0x0) returned 1 [0061.602] CloseHandle (hObject=0x30c) returned 1 [0061.602] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", lpFilePart=0x0) returned 0x32 [0061.602] SetErrorMode (uMode=0x1) returned 0x0 [0061.602] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\rc p.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.602] GetFileType (hFile=0x30c) returned 0x1 [0061.602] SetErrorMode (uMode=0x0) returned 0x1 [0061.602] GetFileType (hFile=0x30c) returned 0x1 [0061.603] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e798 | out: lpFileSizeHigh=0xf1e798*=0x0) returned 0x101f4 [0061.603] SetFilePointer (in: hFile=0x30c, lDistanceToMove=48, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x30 [0061.603] SetEndOfFile (hFile=0x30c) returned 1 [0061.605] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x0 [0061.605] CloseHandle (hObject=0x30c) returned 1 [0061.754] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", nBufferLength=0x105, lpBuffer=0xf1e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", lpFilePart=0x0) returned 0x32 [0061.754] SetErrorMode (uMode=0x1) returned 0x0 [0061.754] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\rc p.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.755] GetFileType (hFile=0x30c) returned 0x1 [0061.755] SetErrorMode (uMode=0x0) returned 0x1 [0061.755] GetFileType (hFile=0x30c) returned 0x1 [0061.755] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e520*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e520*=0) returned 0x30 [0061.755] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.756] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.756] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.756] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.756] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.756] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.757] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.757] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.757] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.757] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.757] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.757] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.758] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.758] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.758] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.758] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.758] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.758] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.759] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.759] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.759] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.759] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.759] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.759] WriteFile (in: hFile=0x30c, lpBuffer=0x303ea38*, nNumberOfBytesToWrite=0x813, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x303ea38*, lpNumberOfBytesWritten=0xf1e618*=0x813, lpOverlapped=0x0) returned 1 [0061.759] CloseHandle (hObject=0x30c) returned 1 [0061.762] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", lpFilePart=0x0) returned 0x32 [0061.762] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x62 [0061.762] SetErrorMode (uMode=0x1) returned 0x0 [0061.762] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\rc p.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e650 | out: lpFileInformation=0xf1e650*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x614aad20, ftCreationTime.dwHighDateTime=0x1d5bffe, ftLastAccessTime.dwLowDateTime=0xc4b275a0, ftLastAccessTime.dwHighDateTime=0x1d5c25b, ftLastWriteTime.dwLowDateTime=0xdade1e80, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x17843)) returned 1 [0061.762] SetErrorMode (uMode=0x0) returned 0x1 [0061.762] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\rc p.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\rc p.bmp[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.763] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp", lpFilePart=0x0) returned 0x32 [0061.763] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\RC P.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\rc p.bmp")) returned 0 [0061.763] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", nBufferLength=0x105, lpBuffer=0xf1e450, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", lpFilePart=0x0) returned 0x3b [0061.763] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", lpFilePart=0x0) returned 0x3b [0061.763] SetErrorMode (uMode=0x1) returned 0x0 [0061.763] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\s52en1rlpotgl.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44d765b0, ftCreationTime.dwHighDateTime=0x1d5c437, ftLastAccessTime.dwLowDateTime=0x25e61080, ftLastAccessTime.dwHighDateTime=0x1d5c4ef, ftLastWriteTime.dwLowDateTime=0x25e61080, ftLastWriteTime.dwHighDateTime=0x1d5c4ef, nFileSizeHigh=0x0, nFileSizeLow=0x83fa)) returned 1 [0061.763] SetErrorMode (uMode=0x0) returned 0x1 [0061.764] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", lpFilePart=0x0) returned 0x3b [0061.764] SetErrorMode (uMode=0x1) returned 0x0 [0061.764] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\s52en1rlpotgl.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.765] GetFileType (hFile=0x30c) returned 0x1 [0061.765] SetErrorMode (uMode=0x0) returned 0x1 [0061.765] GetFileType (hFile=0x30c) returned 0x1 [0061.765] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-33696, lpDistanceToMoveHigh=0xf1e7e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7e0*=0) returned 0x5a [0061.765] ReadFile (in: hFile=0x30c, lpBuffer=0x3040a48, nNumberOfBytesToRead=0x83a0, lpNumberOfBytesRead=0xf1e678, lpOverlapped=0x0 | out: lpBuffer=0x3040a48*, lpNumberOfBytesRead=0xf1e678*=0x83a0, lpOverlapped=0x0) returned 1 [0061.765] CloseHandle (hObject=0x30c) returned 1 [0061.765] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", lpFilePart=0x0) returned 0x3b [0061.765] SetErrorMode (uMode=0x1) returned 0x0 [0061.765] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\s52en1rlpotgl.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.765] GetFileType (hFile=0x30c) returned 0x1 [0061.765] SetErrorMode (uMode=0x0) returned 0x1 [0061.765] GetFileType (hFile=0x30c) returned 0x1 [0061.765] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e798 | out: lpFileSizeHigh=0xf1e798*=0x0) returned 0x83fa [0061.765] SetFilePointer (in: hFile=0x30c, lDistanceToMove=90, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x5a [0061.766] SetEndOfFile (hFile=0x30c) returned 1 [0061.768] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x0 [0061.768] CloseHandle (hObject=0x30c) returned 1 [0061.844] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", nBufferLength=0x105, lpBuffer=0xf1e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", lpFilePart=0x0) returned 0x3b [0061.844] SetErrorMode (uMode=0x1) returned 0x0 [0061.844] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\s52en1rlpotgl.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.844] GetFileType (hFile=0x30c) returned 0x1 [0061.844] SetErrorMode (uMode=0x0) returned 0x1 [0061.844] GetFileType (hFile=0x30c) returned 0x1 [0061.844] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e520*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e520*=0) returned 0x5a [0061.844] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.845] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.845] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.845] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.846] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.846] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.846] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.846] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.846] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.847] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.847] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.847] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5e8, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e5e8*=0x1000, lpOverlapped=0x0) returned 1 [0061.847] WriteFile (in: hFile=0x30c, lpBuffer=0x2feeb80*, nNumberOfBytesToWrite=0x13, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x2feeb80*, lpNumberOfBytesWritten=0xf1e618*=0x13, lpOverlapped=0x0) returned 1 [0061.847] CloseHandle (hObject=0x30c) returned 1 [0061.849] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", lpFilePart=0x0) returned 0x3b [0061.849] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x6b [0061.849] SetErrorMode (uMode=0x1) returned 0x0 [0061.849] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\s52en1rlpotgl.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e650 | out: lpFileInformation=0xf1e650*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44d765b0, ftCreationTime.dwHighDateTime=0x1d5c437, ftLastAccessTime.dwLowDateTime=0x25e61080, ftLastAccessTime.dwHighDateTime=0x1d5c4ef, ftLastWriteTime.dwLowDateTime=0xdaec6aed, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xc06d)) returned 1 [0061.849] SetErrorMode (uMode=0x0) returned 0x1 [0061.849] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\s52en1rlpotgl.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\s52en1rlpotgl.bmp[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.850] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp", lpFilePart=0x0) returned 0x3b [0061.850] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\s52eN1rLpoTGl.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\s52en1rlpotgl.bmp")) returned 0 [0061.850] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", nBufferLength=0x105, lpBuffer=0xf1e450, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", lpFilePart=0x0) returned 0x3a [0061.850] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", lpFilePart=0x0) returned 0x3a [0061.850] SetErrorMode (uMode=0x1) returned 0x0 [0061.850] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\yknd73ralnai.swf"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b749e0, ftCreationTime.dwHighDateTime=0x1d5b962, ftLastAccessTime.dwLowDateTime=0xb44be1b0, ftLastAccessTime.dwHighDateTime=0x1d5c1de, ftLastWriteTime.dwLowDateTime=0xb44be1b0, ftLastWriteTime.dwHighDateTime=0x1d5c1de, nFileSizeHigh=0x0, nFileSizeLow=0x1743a)) returned 1 [0061.850] SetErrorMode (uMode=0x0) returned 0x1 [0061.850] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", lpFilePart=0x0) returned 0x3a [0061.850] SetErrorMode (uMode=0x1) returned 0x0 [0061.850] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\yknd73ralnai.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.850] GetFileType (hFile=0x30c) returned 0x1 [0061.850] SetErrorMode (uMode=0x0) returned 0x1 [0061.850] GetFileType (hFile=0x30c) returned 0x1 [0061.850] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7e0*=0) returned 0x7a3b [0061.851] ReadFile (in: hFile=0x30c, lpBuffer=0x2ff0bd0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e678, lpOverlapped=0x0 | out: lpBuffer=0x2ff0bd0*, lpNumberOfBytesRead=0xf1e678*=0xf9ff, lpOverlapped=0x0) returned 1 [0061.851] CloseHandle (hObject=0x30c) returned 1 [0061.851] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", lpFilePart=0x0) returned 0x3a [0061.851] SetErrorMode (uMode=0x1) returned 0x0 [0061.851] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\yknd73ralnai.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.851] GetFileType (hFile=0x30c) returned 0x1 [0061.851] SetErrorMode (uMode=0x0) returned 0x1 [0061.851] GetFileType (hFile=0x30c) returned 0x1 [0061.851] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e798 | out: lpFileSizeHigh=0xf1e798*=0x0) returned 0x1743a [0061.852] SetFilePointer (in: hFile=0x30c, lDistanceToMove=31291, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x7a3b [0061.852] SetEndOfFile (hFile=0x30c) returned 1 [0061.854] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7f0*=0) returned 0x0 [0061.854] CloseHandle (hObject=0x30c) returned 1 [0061.923] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", nBufferLength=0x105, lpBuffer=0xf1e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", lpFilePart=0x0) returned 0x3a [0061.923] SetErrorMode (uMode=0x1) returned 0x0 [0061.923] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\yknd73ralnai.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.923] GetFileType (hFile=0x30c) returned 0x1 [0061.923] SetErrorMode (uMode=0x0) returned 0x1 [0061.923] GetFileType (hFile=0x30c) returned 0x1 [0061.923] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e520*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e520*=0) returned 0x7a3b [0061.923] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.924] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.924] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.925] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.925] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.925] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.925] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.925] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.925] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.925] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.926] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.926] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.926] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.926] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.926] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.926] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.927] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.927] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.927] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.927] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.927] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.927] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0x1000, lpOverlapped=0x0) returned 1 [0061.928] WriteFile (in: hFile=0x30c, lpBuffer=0x3078528*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e618, lpOverlapped=0x0 | out: lpBuffer=0x3078528*, lpNumberOfBytesWritten=0xf1e618*=0xcbf, lpOverlapped=0x0) returned 1 [0061.928] CloseHandle (hObject=0x30c) returned 1 [0061.931] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", lpFilePart=0x0) returned 0x3a [0061.931] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x6a [0061.931] SetErrorMode (uMode=0x1) returned 0x0 [0061.931] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\yknd73ralnai.swf"), fInfoLevelId=0x0, lpFileInformation=0xf1e650 | out: lpFileInformation=0xf1e650*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b749e0, ftCreationTime.dwHighDateTime=0x1d5b962, ftLastAccessTime.dwLowDateTime=0xb44be1b0, ftLastAccessTime.dwHighDateTime=0x1d5c1de, ftLastWriteTime.dwLowDateTime=0xdaf85809, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1e6fa)) returned 1 [0061.931] SetErrorMode (uMode=0x0) returned 0x1 [0061.931] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\yknd73ralnai.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\yknd73ralnai.swf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0061.932] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf", lpFilePart=0x0) returned 0x3a [0061.932] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\YkNd73RaLNAI.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\yknd73ralnai.swf")) returned 0 [0061.932] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e160, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x41 [0061.932] SetErrorMode (uMode=0x1) returned 0x0 [0061.932] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\#DECRYPT MY FILES#.html" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.932] GetFileType (hFile=0x30c) returned 0x1 [0061.932] SetErrorMode (uMode=0x0) returned 0x1 [0061.932] GetFileType (hFile=0x30c) returned 0x1 [0061.932] WriteFile (in: hFile=0x30c, lpBuffer=0x307b8c0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e6c8, lpOverlapped=0x0 | out: lpBuffer=0x307b8c0*, lpNumberOfBytesWritten=0xf1e6c8*=0x1000, lpOverlapped=0x0) returned 1 [0061.933] WriteFile (in: hFile=0x30c, lpBuffer=0x307b8c0*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e6c8, lpOverlapped=0x0 | out: lpBuffer=0x307b8c0*, lpNumberOfBytesWritten=0xf1e6c8*=0x443, lpOverlapped=0x0) returned 1 [0061.933] CloseHandle (hObject=0x30c) returned 1 [0061.934] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken", nBufferLength=0x105, lpBuffer=0xf1e350, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken", lpFilePart=0x0) returned 0x29 [0061.934] SetErrorMode (uMode=0x1) returned 0x0 [0061.934] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\*", lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea07ee0, ftCreationTime.dwHighDateTime=0x1d5c385, ftLastAccessTime.dwLowDateTime=0xdaf85809, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdaf85809, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3350 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea07ee0, ftCreationTime.dwHighDateTime=0x1d5c385, ftLastAccessTime.dwLowDateTime=0xdaf85809, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdaf85809, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdaf85809, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdaf85809, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdaf85809, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa453f8d0, ftCreationTime.dwHighDateTime=0x1d5bca5, ftLastAccessTime.dwLowDateTime=0xb6974e10, ftLastAccessTime.dwHighDateTime=0x1d5c2eb, ftLastWriteTime.dwLowDateTime=0xdaa4e3c7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1044f, dwReserved0=0x0, dwReserved1=0x0, cFileName="3BhghfGOrqhAC_eQQ6Od.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="3BHGHF~1.PRT")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9a2b20, ftCreationTime.dwHighDateTime=0x1d5c4ea, ftLastAccessTime.dwLowDateTime=0x835b5c70, ftLastAccessTime.dwHighDateTime=0x1d5bed2, ftLastWriteTime.dwLowDateTime=0xdab333f5, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x9f87, dwReserved0=0x0, dwReserved1=0x0, cFileName="3ia1.avi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="3IA1AV~1.PRT")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd96d7730, ftCreationTime.dwHighDateTime=0x1d5b601, ftLastAccessTime.dwLowDateTime=0xaff33410, ftLastAccessTime.dwHighDateTime=0x1d5b919, ftLastWriteTime.dwLowDateTime=0xaff33410, ftLastWriteTime.dwHighDateTime=0x1d5b919, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="euwZWkKHGolY", cAlternateFileName="EUWZWK~1")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x153b93e0, ftCreationTime.dwHighDateTime=0x1d5c08f, ftLastAccessTime.dwLowDateTime=0xd97e1ac0, ftLastAccessTime.dwHighDateTime=0x1d5c530, ftLastWriteTime.dwLowDateTime=0xdab7f800, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x110cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="h_aPp4Z1 qH.pptx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="H_APP4~1.PRT")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6708f690, ftCreationTime.dwHighDateTime=0x1d5b95f, ftLastAccessTime.dwLowDateTime=0x8a011600, ftLastAccessTime.dwHighDateTime=0x1d5be91, ftLastWriteTime.dwLowDateTime=0xdac18205, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x11e4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LRc4IZ.pps[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="LRC4IZ~1.PRT")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x882674b0, ftCreationTime.dwHighDateTime=0x1d5c396, ftLastAccessTime.dwLowDateTime=0xb23d5460, ftLastAccessTime.dwHighDateTime=0x1d5bcf9, ftLastWriteTime.dwLowDateTime=0xdac64704, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x16eec, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pfsago0l0hoTkQMLUo.wav[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="PFSAGO~1.PRT")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x614aad20, ftCreationTime.dwHighDateTime=0x1d5bffe, ftLastAccessTime.dwLowDateTime=0xc4b275a0, ftLastAccessTime.dwHighDateTime=0x1d5c25b, ftLastWriteTime.dwLowDateTime=0xdade1e80, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x17843, dwReserved0=0x0, dwReserved1=0x0, cFileName="RC P.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="RCPBMP~1.PRT")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44d765b0, ftCreationTime.dwHighDateTime=0x1d5c437, ftLastAccessTime.dwLowDateTime=0x25e61080, ftLastAccessTime.dwHighDateTime=0x1d5c4ef, ftLastWriteTime.dwLowDateTime=0xdaec6aed, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xc06d, dwReserved0=0x0, dwReserved1=0x0, cFileName="s52eN1rLpoTGl.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="S52EN1~1.PRT")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0b24690, ftCreationTime.dwHighDateTime=0x1d5b8be, ftLastAccessTime.dwLowDateTime=0x6eaf1540, ftLastAccessTime.dwHighDateTime=0x1d5c5b8, ftLastWriteTime.dwLowDateTime=0x6eaf1540, ftLastWriteTime.dwHighDateTime=0x1d5c5b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tint", cAlternateFileName="")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b749e0, ftCreationTime.dwHighDateTime=0x1d5b962, ftLastAccessTime.dwLowDateTime=0xb44be1b0, ftLastAccessTime.dwHighDateTime=0x1d5c1de, ftLastWriteTime.dwLowDateTime=0xdaf85809, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1e6fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="YkNd73RaLNAI.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="YKND73~1.PRT")) returned 1 [0061.934] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e500 | out: lpFindFileData=0xf1e500*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b749e0, ftCreationTime.dwHighDateTime=0x1d5b962, ftLastAccessTime.dwLowDateTime=0xb44be1b0, ftLastAccessTime.dwHighDateTime=0x1d5c1de, ftLastWriteTime.dwLowDateTime=0xdaf85809, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1e6fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="YkNd73RaLNAI.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="YKND73~1.PRT")) returned 0 [0061.934] FindClose (in: hFindFile=0x10b3350 | out: hFindFile=0x10b3350) returned 1 [0061.935] SetErrorMode (uMode=0x0) returned 0x1 [0061.935] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0061.935] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0061.935] CoTaskMemFree (pv=0x10bd8a0) [0061.935] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0061.935] CoCreateGuid (in: pguid=0xf1e6d0 | out: pguid=0xf1e6d0*(Data1=0x265f6334, Data2=0x31ec, Data3=0x4291, Data4=([0]=0x93, [1]=0xa, [2]=0x38, [3]=0x54, [4]=0x94, [5]=0xdb, [6]=0xab, [7]=0x4c))) returned 0x0 [0061.935] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0061.935] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0061.935] CoTaskMemFree (pv=0x10bd680) [0061.935] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0061.935] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY", lpFilePart=0x0) returned 0x36 [0061.935] SetErrorMode (uMode=0x1) returned 0x0 [0061.935] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\*.*", lpFindFileData=0xf1e460 | out: lpFindFileData=0xf1e460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd96d7730, ftCreationTime.dwHighDateTime=0x1d5b601, ftLastAccessTime.dwLowDateTime=0xaff33410, ftLastAccessTime.dwHighDateTime=0x1d5b919, ftLastWriteTime.dwLowDateTime=0xaff33410, ftLastWriteTime.dwHighDateTime=0x1d5b919, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3470 [0061.935] FindNextFileW (in: hFindFile=0x10b3470, lpFindFileData=0xf1e470 | out: lpFindFileData=0xf1e470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd96d7730, ftCreationTime.dwHighDateTime=0x1d5b601, ftLastAccessTime.dwLowDateTime=0xaff33410, ftLastAccessTime.dwHighDateTime=0x1d5b919, ftLastWriteTime.dwLowDateTime=0xaff33410, ftLastWriteTime.dwHighDateTime=0x1d5b919, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.936] FindNextFileW (in: hFindFile=0x10b3470, lpFindFileData=0xf1e470 | out: lpFindFileData=0xf1e470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13545eb0, ftCreationTime.dwHighDateTime=0x1d5c33f, ftLastAccessTime.dwLowDateTime=0x76519880, ftLastAccessTime.dwHighDateTime=0x1d5c47e, ftLastWriteTime.dwLowDateTime=0x76519880, ftLastWriteTime.dwHighDateTime=0x1d5c47e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4YP7HqQHS", cAlternateFileName="4YP7HQ~1")) returned 1 [0061.936] FindNextFileW (in: hFindFile=0x10b3470, lpFindFileData=0xf1e470 | out: lpFindFileData=0xf1e470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13545eb0, ftCreationTime.dwHighDateTime=0x1d5c33f, ftLastAccessTime.dwLowDateTime=0x76519880, ftLastAccessTime.dwHighDateTime=0x1d5c47e, ftLastWriteTime.dwLowDateTime=0x76519880, ftLastWriteTime.dwHighDateTime=0x1d5c47e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4YP7HqQHS", cAlternateFileName="4YP7HQ~1")) returned 0 [0061.936] FindClose (in: hFindFile=0x10b3470 | out: hFindFile=0x10b3470) returned 1 [0061.936] SetErrorMode (uMode=0x0) returned 0x1 [0061.936] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x4e [0061.936] SetErrorMode (uMode=0x1) returned 0x0 [0061.936] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\#DECRYPT MY FILES#.html" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0061.937] GetFileType (hFile=0x30c) returned 0x1 [0061.937] SetErrorMode (uMode=0x0) returned 0x1 [0061.937] GetFileType (hFile=0x30c) returned 0x1 [0061.937] WriteFile (in: hFile=0x30c, lpBuffer=0x3081e78*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e608, lpOverlapped=0x0 | out: lpBuffer=0x3081e78*, lpNumberOfBytesWritten=0xf1e608*=0x1000, lpOverlapped=0x0) returned 1 [0061.938] WriteFile (in: hFile=0x30c, lpBuffer=0x3081e78*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e608, lpOverlapped=0x0 | out: lpBuffer=0x3081e78*, lpNumberOfBytesWritten=0xf1e608*=0x443, lpOverlapped=0x0) returned 1 [0061.938] CloseHandle (hObject=0x30c) returned 1 [0061.939] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY", lpFilePart=0x0) returned 0x36 [0061.939] SetErrorMode (uMode=0x1) returned 0x0 [0061.939] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\*", lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd96d7730, ftCreationTime.dwHighDateTime=0x1d5b601, ftLastAccessTime.dwLowDateTime=0xaff33410, ftLastAccessTime.dwHighDateTime=0x1d5b919, ftLastWriteTime.dwLowDateTime=0xdafabb31, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3230 [0061.939] FindNextFileW (in: hFindFile=0x10b3230, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd96d7730, ftCreationTime.dwHighDateTime=0x1d5b601, ftLastAccessTime.dwLowDateTime=0xaff33410, ftLastAccessTime.dwHighDateTime=0x1d5b919, ftLastWriteTime.dwLowDateTime=0xdafabb31, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.939] FindNextFileW (in: hFindFile=0x10b3230, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdafabb31, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdafabb31, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdafabb31, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0061.939] FindNextFileW (in: hFindFile=0x10b3230, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13545eb0, ftCreationTime.dwHighDateTime=0x1d5c33f, ftLastAccessTime.dwLowDateTime=0x76519880, ftLastAccessTime.dwHighDateTime=0x1d5c47e, ftLastWriteTime.dwLowDateTime=0x76519880, ftLastWriteTime.dwHighDateTime=0x1d5c47e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4YP7HqQHS", cAlternateFileName="4YP7HQ~1")) returned 1 [0061.939] FindNextFileW (in: hFindFile=0x10b3230, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13545eb0, ftCreationTime.dwHighDateTime=0x1d5c33f, ftLastAccessTime.dwLowDateTime=0x76519880, ftLastAccessTime.dwHighDateTime=0x1d5c47e, ftLastWriteTime.dwLowDateTime=0x76519880, ftLastWriteTime.dwHighDateTime=0x1d5c47e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4YP7HqQHS", cAlternateFileName="4YP7HQ~1")) returned 0 [0061.939] FindClose (in: hFindFile=0x10b3230 | out: hFindFile=0x10b3230) returned 1 [0061.939] SetErrorMode (uMode=0x0) returned 0x1 [0061.939] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0061.939] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0061.939] CoTaskMemFree (pv=0x10be120) [0061.939] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0061.940] CoCreateGuid (in: pguid=0xf1e610 | out: pguid=0xf1e610*(Data1=0x3f68d18b, Data2=0x3c55, Data3=0x4539, Data4=([0]=0x8e, [1]=0x3d, [2]=0x38, [3]=0xf4, [4]=0x56, [5]=0xfe, [6]=0xa5, [7]=0x5))) returned 0x0 [0061.940] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0061.940] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0061.940] CoTaskMemFree (pv=0x10be120) [0061.940] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e260, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0061.940] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS", nBufferLength=0x105, lpBuffer=0xf1e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS", lpFilePart=0x0) returned 0x40 [0061.940] SetErrorMode (uMode=0x1) returned 0x0 [0061.940] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\*.*", lpFindFileData=0xf1e3a0 | out: lpFindFileData=0xf1e3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13545eb0, ftCreationTime.dwHighDateTime=0x1d5c33f, ftLastAccessTime.dwLowDateTime=0x76519880, ftLastAccessTime.dwHighDateTime=0x1d5c47e, ftLastWriteTime.dwLowDateTime=0x76519880, ftLastWriteTime.dwHighDateTime=0x1d5c47e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0061.940] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e3b0 | out: lpFindFileData=0xf1e3b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13545eb0, ftCreationTime.dwHighDateTime=0x1d5c33f, ftLastAccessTime.dwLowDateTime=0x76519880, ftLastAccessTime.dwHighDateTime=0x1d5c47e, ftLastWriteTime.dwLowDateTime=0x76519880, ftLastWriteTime.dwHighDateTime=0x1d5c47e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.940] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e3b0 | out: lpFindFileData=0xf1e3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd043c90, ftCreationTime.dwHighDateTime=0x1d5bf09, ftLastAccessTime.dwLowDateTime=0xda17ab90, ftLastAccessTime.dwHighDateTime=0x1d5c544, ftLastWriteTime.dwLowDateTime=0xda17ab90, ftLastWriteTime.dwHighDateTime=0x1d5c544, nFileSizeHigh=0x0, nFileSizeLow=0xf7b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DDTioX.swf", cAlternateFileName="")) returned 1 [0061.940] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e3b0 | out: lpFindFileData=0xf1e3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf968aea0, ftCreationTime.dwHighDateTime=0x1d5be86, ftLastAccessTime.dwLowDateTime=0x545c3d50, ftLastAccessTime.dwHighDateTime=0x1d5beef, ftLastWriteTime.dwLowDateTime=0x545c3d50, ftLastWriteTime.dwHighDateTime=0x1d5beef, nFileSizeHigh=0x0, nFileSizeLow=0xbea9, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEa-lpYoEt2.swf", cAlternateFileName="EEA-LP~1.SWF")) returned 1 [0061.940] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e3b0 | out: lpFindFileData=0xf1e3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x981f7cd0, ftCreationTime.dwHighDateTime=0x1d5bbdb, ftLastAccessTime.dwLowDateTime=0xf8c6b440, ftLastAccessTime.dwHighDateTime=0x1d5b8de, ftLastWriteTime.dwLowDateTime=0xf8c6b440, ftLastWriteTime.dwHighDateTime=0x1d5b8de, nFileSizeHigh=0x0, nFileSizeLow=0x18c49, dwReserved0=0x0, dwReserved1=0x0, cFileName="FmyEhH1MSJfnC7hBl.avi", cAlternateFileName="FMYEHH~1.AVI")) returned 1 [0061.940] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e3b0 | out: lpFindFileData=0xf1e3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f5d95e0, ftCreationTime.dwHighDateTime=0x1d5ba4e, ftLastAccessTime.dwLowDateTime=0x1403c510, ftLastAccessTime.dwHighDateTime=0x1d5c54e, ftLastWriteTime.dwLowDateTime=0x1403c510, ftLastWriteTime.dwHighDateTime=0x1d5c54e, nFileSizeHigh=0x0, nFileSizeLow=0x9b9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="FpGsji mckJ_Ib.csv", cAlternateFileName="FPGSJI~1.CSV")) returned 1 [0061.940] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e3b0 | out: lpFindFileData=0xf1e3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9cc62a0, ftCreationTime.dwHighDateTime=0x1d5b8a4, ftLastAccessTime.dwLowDateTime=0x95f3bdb0, ftLastAccessTime.dwHighDateTime=0x1d5c232, ftLastWriteTime.dwLowDateTime=0x95f3bdb0, ftLastWriteTime.dwHighDateTime=0x1d5c232, nFileSizeHigh=0x0, nFileSizeLow=0x102de, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtLz_6.flv", cAlternateFileName="")) returned 1 [0061.940] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e3b0 | out: lpFindFileData=0xf1e3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7667a0, ftCreationTime.dwHighDateTime=0x1d5bd26, ftLastAccessTime.dwLowDateTime=0x625de2d0, ftLastAccessTime.dwHighDateTime=0x1d5c167, ftLastWriteTime.dwLowDateTime=0x625de2d0, ftLastWriteTime.dwHighDateTime=0x1d5c167, nFileSizeHigh=0x0, nFileSizeLow=0xf11d, dwReserved0=0x0, dwReserved1=0x0, cFileName="VUIgmg-6k-bN DJNU.gif", cAlternateFileName="VUIGMG~1.GIF")) returned 1 [0061.940] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e3b0 | out: lpFindFileData=0xf1e3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd197910, ftCreationTime.dwHighDateTime=0x1d5c044, ftLastAccessTime.dwLowDateTime=0xc5b05840, ftLastAccessTime.dwHighDateTime=0x1d5c248, ftLastWriteTime.dwLowDateTime=0xc5b05840, ftLastWriteTime.dwHighDateTime=0x1d5c248, nFileSizeHigh=0x0, nFileSizeLow=0x7a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="xRSxrtnv8iByIbSF.mp3", cAlternateFileName="XRSXRT~1.MP3")) returned 1 [0061.940] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e3b0 | out: lpFindFileData=0xf1e3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd197910, ftCreationTime.dwHighDateTime=0x1d5c044, ftLastAccessTime.dwLowDateTime=0xc5b05840, ftLastAccessTime.dwHighDateTime=0x1d5c248, ftLastWriteTime.dwLowDateTime=0xc5b05840, ftLastWriteTime.dwHighDateTime=0x1d5c248, nFileSizeHigh=0x0, nFileSizeLow=0x7a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="xRSxrtnv8iByIbSF.mp3", cAlternateFileName="XRSXRT~1.MP3")) returned 0 [0061.940] FindClose (in: hFindFile=0x10b3110 | out: hFindFile=0x10b3110) returned 1 [0061.941] SetErrorMode (uMode=0x0) returned 0x1 [0061.941] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", nBufferLength=0x105, lpBuffer=0xf1e2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", lpFilePart=0x0) returned 0x4b [0061.941] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", nBufferLength=0x105, lpBuffer=0xf1e180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", lpFilePart=0x0) returned 0x4b [0061.941] SetErrorMode (uMode=0x1) returned 0x0 [0061.941] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\ddtiox.swf"), fInfoLevelId=0x0, lpFileInformation=0xf1e550 | out: lpFileInformation=0xf1e550*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd043c90, ftCreationTime.dwHighDateTime=0x1d5bf09, ftLastAccessTime.dwLowDateTime=0xda17ab90, ftLastAccessTime.dwHighDateTime=0x1d5c544, ftLastWriteTime.dwLowDateTime=0xda17ab90, ftLastWriteTime.dwHighDateTime=0x1d5c544, nFileSizeHigh=0x0, nFileSizeLow=0xf7b8)) returned 1 [0061.941] SetErrorMode (uMode=0x0) returned 0x1 [0061.941] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", lpFilePart=0x0) returned 0x4b [0061.941] SetErrorMode (uMode=0x1) returned 0x0 [0061.941] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\ddtiox.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.941] GetFileType (hFile=0x30c) returned 0x1 [0061.941] SetErrorMode (uMode=0x0) returned 0x1 [0061.941] GetFileType (hFile=0x30c) returned 0x1 [0061.941] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63414, lpDistanceToMoveHigh=0xf1e660*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e660*=0) returned 0x2 [0061.941] ReadFile (in: hFile=0x30c, lpBuffer=0x3087658, nNumberOfBytesToRead=0xf7b6, lpNumberOfBytesRead=0xf1e4f8, lpOverlapped=0x0 | out: lpBuffer=0x3087658*, lpNumberOfBytesRead=0xf1e4f8*=0xf7b6, lpOverlapped=0x0) returned 1 [0061.942] CloseHandle (hObject=0x30c) returned 1 [0061.942] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", lpFilePart=0x0) returned 0x4b [0061.942] SetErrorMode (uMode=0x1) returned 0x0 [0061.942] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\ddtiox.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0061.942] GetFileType (hFile=0x30c) returned 0x1 [0061.942] SetErrorMode (uMode=0x0) returned 0x1 [0061.942] GetFileType (hFile=0x30c) returned 0x1 [0061.942] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e618 | out: lpFileSizeHigh=0xf1e618*=0x0) returned 0xf7b8 [0061.942] SetFilePointer (in: hFile=0x30c, lDistanceToMove=2, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x2 [0061.942] SetEndOfFile (hFile=0x30c) returned 1 [0061.945] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x0 [0061.945] CloseHandle (hObject=0x30c) returned 1 [0062.058] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", nBufferLength=0x105, lpBuffer=0xf1df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", lpFilePart=0x0) returned 0x4b [0062.058] SetErrorMode (uMode=0x1) returned 0x0 [0062.058] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\ddtiox.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0062.058] GetFileType (hFile=0x30c) returned 0x1 [0062.058] SetErrorMode (uMode=0x0) returned 0x1 [0062.058] GetFileType (hFile=0x30c) returned 0x1 [0062.058] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e3a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e3a0*=0) returned 0x2 [0062.058] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.059] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.059] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.059] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.060] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.060] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.060] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.060] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.060] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.061] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.061] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.061] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.062] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.062] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.062] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.062] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.062] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.062] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.063] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.063] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.063] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.063] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.063] WriteFile (in: hFile=0x30c, lpBuffer=0x3108a28*, nNumberOfBytesToWrite=0x96b, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3108a28*, lpNumberOfBytesWritten=0xf1e498*=0x96b, lpOverlapped=0x0) returned 1 [0062.063] CloseHandle (hObject=0x30c) returned 1 [0062.065] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", lpFilePart=0x0) returned 0x4b [0062.066] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x7b [0062.066] SetErrorMode (uMode=0x1) returned 0x0 [0062.066] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\ddtiox.swf"), fInfoLevelId=0x0, lpFileInformation=0xf1e4d0 | out: lpFileInformation=0xf1e4d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd043c90, ftCreationTime.dwHighDateTime=0x1d5bf09, ftLastAccessTime.dwLowDateTime=0xda17ab90, ftLastAccessTime.dwHighDateTime=0x1d5c544, ftLastWriteTime.dwLowDateTime=0xdb0dce96, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1696d)) returned 1 [0062.066] SetErrorMode (uMode=0x0) returned 0x1 [0062.066] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\ddtiox.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\ddtiox.swf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0062.066] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf", lpFilePart=0x0) returned 0x4b [0062.066] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\DDTioX.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\ddtiox.swf")) returned 0 [0062.067] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", nBufferLength=0x105, lpBuffer=0xf1e2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", lpFilePart=0x0) returned 0x50 [0062.067] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", nBufferLength=0x105, lpBuffer=0xf1e180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", lpFilePart=0x0) returned 0x50 [0062.067] SetErrorMode (uMode=0x1) returned 0x0 [0062.067] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\eea-lpyoet2.swf"), fInfoLevelId=0x0, lpFileInformation=0xf1e550 | out: lpFileInformation=0xf1e550*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf968aea0, ftCreationTime.dwHighDateTime=0x1d5be86, ftLastAccessTime.dwLowDateTime=0x545c3d50, ftLastAccessTime.dwHighDateTime=0x1d5beef, ftLastWriteTime.dwLowDateTime=0x545c3d50, ftLastWriteTime.dwHighDateTime=0x1d5beef, nFileSizeHigh=0x0, nFileSizeLow=0xbea9)) returned 1 [0062.067] SetErrorMode (uMode=0x0) returned 0x1 [0062.067] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", lpFilePart=0x0) returned 0x50 [0062.067] SetErrorMode (uMode=0x1) returned 0x0 [0062.067] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\eea-lpyoet2.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.067] GetFileType (hFile=0x30c) returned 0x1 [0062.067] SetErrorMode (uMode=0x0) returned 0x1 [0062.067] GetFileType (hFile=0x30c) returned 0x1 [0062.067] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-48789, lpDistanceToMoveHigh=0xf1e660*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e660*=0) returned 0x14 [0062.067] ReadFile (in: hFile=0x30c, lpBuffer=0x310ab50, nNumberOfBytesToRead=0xbe95, lpNumberOfBytesRead=0xf1e4f8, lpOverlapped=0x0 | out: lpBuffer=0x310ab50*, lpNumberOfBytesRead=0xf1e4f8*=0xbe95, lpOverlapped=0x0) returned 1 [0062.068] CloseHandle (hObject=0x30c) returned 1 [0062.068] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", lpFilePart=0x0) returned 0x50 [0062.068] SetErrorMode (uMode=0x1) returned 0x0 [0062.068] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\eea-lpyoet2.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.068] GetFileType (hFile=0x30c) returned 0x1 [0062.068] SetErrorMode (uMode=0x0) returned 0x1 [0062.068] GetFileType (hFile=0x30c) returned 0x1 [0062.068] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e618 | out: lpFileSizeHigh=0xf1e618*=0x0) returned 0xbea9 [0062.068] SetFilePointer (in: hFile=0x30c, lDistanceToMove=20, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x14 [0062.068] SetEndOfFile (hFile=0x30c) returned 1 [0062.070] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x0 [0062.070] CloseHandle (hObject=0x30c) returned 1 [0062.084] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", nBufferLength=0x105, lpBuffer=0xf1df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", lpFilePart=0x0) returned 0x50 [0062.084] SetErrorMode (uMode=0x1) returned 0x0 [0062.084] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\eea-lpyoet2.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0062.084] GetFileType (hFile=0x30c) returned 0x1 [0062.084] SetErrorMode (uMode=0x0) returned 0x1 [0062.084] GetFileType (hFile=0x30c) returned 0x1 [0062.084] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e3a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e3a0*=0) returned 0x14 [0062.084] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.085] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.206] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.206] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.207] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.207] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.207] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.207] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.207] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.207] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.208] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.208] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.208] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.208] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.208] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.208] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.209] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.209] WriteFile (in: hFile=0x30c, lpBuffer=0x3174ce8*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3174ce8*, lpNumberOfBytesWritten=0xf1e498*=0x613, lpOverlapped=0x0) returned 1 [0062.209] CloseHandle (hObject=0x30c) returned 1 [0062.211] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", lpFilePart=0x0) returned 0x50 [0062.211] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x80 [0062.211] SetErrorMode (uMode=0x1) returned 0x0 [0062.211] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\eea-lpyoet2.swf"), fInfoLevelId=0x0, lpFileInformation=0xf1e4d0 | out: lpFileInformation=0xf1e4d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf968aea0, ftCreationTime.dwHighDateTime=0x1d5be86, ftLastAccessTime.dwLowDateTime=0x545c3d50, ftLastAccessTime.dwHighDateTime=0x1d5beef, ftLastWriteTime.dwLowDateTime=0xdb2342d6, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x11627)) returned 1 [0062.211] SetErrorMode (uMode=0x0) returned 0x1 [0062.211] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\eea-lpyoet2.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\eea-lpyoet2.swf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0062.212] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf", lpFilePart=0x0) returned 0x50 [0062.212] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\EEa-lpYoEt2.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\eea-lpyoet2.swf")) returned 0 [0062.212] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", nBufferLength=0x105, lpBuffer=0xf1e2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", lpFilePart=0x0) returned 0x56 [0062.212] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", nBufferLength=0x105, lpBuffer=0xf1e180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", lpFilePart=0x0) returned 0x56 [0062.212] SetErrorMode (uMode=0x1) returned 0x0 [0062.212] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fmyehh1msjfnc7hbl.avi"), fInfoLevelId=0x0, lpFileInformation=0xf1e550 | out: lpFileInformation=0xf1e550*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x981f7cd0, ftCreationTime.dwHighDateTime=0x1d5bbdb, ftLastAccessTime.dwLowDateTime=0xf8c6b440, ftLastAccessTime.dwHighDateTime=0x1d5b8de, ftLastWriteTime.dwLowDateTime=0xf8c6b440, ftLastWriteTime.dwHighDateTime=0x1d5b8de, nFileSizeHigh=0x0, nFileSizeLow=0x18c49)) returned 1 [0062.212] SetErrorMode (uMode=0x0) returned 0x1 [0062.212] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", lpFilePart=0x0) returned 0x56 [0062.213] SetErrorMode (uMode=0x1) returned 0x0 [0062.213] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fmyehh1msjfnc7hbl.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.213] GetFileType (hFile=0x30c) returned 0x1 [0062.213] SetErrorMode (uMode=0x0) returned 0x1 [0062.213] GetFileType (hFile=0x30c) returned 0x1 [0062.213] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e660*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e660*=0) returned 0x924a [0062.213] ReadFile (in: hFile=0x30c, lpBuffer=0x3176e70, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e4f8, lpOverlapped=0x0 | out: lpBuffer=0x3176e70*, lpNumberOfBytesRead=0xf1e4f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0062.213] CloseHandle (hObject=0x30c) returned 1 [0062.213] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", lpFilePart=0x0) returned 0x56 [0062.213] SetErrorMode (uMode=0x1) returned 0x0 [0062.214] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fmyehh1msjfnc7hbl.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.214] GetFileType (hFile=0x30c) returned 0x1 [0062.214] SetErrorMode (uMode=0x0) returned 0x1 [0062.214] GetFileType (hFile=0x30c) returned 0x1 [0062.214] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e618 | out: lpFileSizeHigh=0xf1e618*=0x0) returned 0x18c49 [0062.214] SetFilePointer (in: hFile=0x30c, lDistanceToMove=37450, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x924a [0062.214] SetEndOfFile (hFile=0x30c) returned 1 [0062.216] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x0 [0062.216] CloseHandle (hObject=0x30c) returned 1 [0062.236] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", nBufferLength=0x105, lpBuffer=0xf1df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", lpFilePart=0x0) returned 0x56 [0062.236] SetErrorMode (uMode=0x1) returned 0x0 [0062.236] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fmyehh1msjfnc7hbl.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0062.236] GetFileType (hFile=0x30c) returned 0x1 [0062.236] SetErrorMode (uMode=0x0) returned 0x1 [0062.236] GetFileType (hFile=0x30c) returned 0x1 [0062.236] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e3a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e3a0*=0) returned 0x924a [0062.291] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.292] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.292] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.292] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.292] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.293] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.293] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.293] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.293] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.293] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.293] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.294] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.294] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.294] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.294] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.294] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.294] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.295] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.295] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.305] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.305] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.305] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.305] WriteFile (in: hFile=0x30c, lpBuffer=0x3003670*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3003670*, lpNumberOfBytesWritten=0xf1e498*=0xcbf, lpOverlapped=0x0) returned 1 [0062.305] CloseHandle (hObject=0x30c) returned 1 [0062.309] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", lpFilePart=0x0) returned 0x56 [0062.309] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x86 [0062.309] SetErrorMode (uMode=0x1) returned 0x0 [0062.309] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fmyehh1msjfnc7hbl.avi"), fInfoLevelId=0x0, lpFileInformation=0xf1e4d0 | out: lpFileInformation=0xf1e4d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x981f7cd0, ftCreationTime.dwHighDateTime=0x1d5bbdb, ftLastAccessTime.dwLowDateTime=0xf8c6b440, ftLastAccessTime.dwHighDateTime=0x1d5b8de, ftLastWriteTime.dwLowDateTime=0xdb318f2e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1ff09)) returned 1 [0062.309] SetErrorMode (uMode=0x0) returned 0x1 [0062.309] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fmyehh1msjfnc7hbl.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fmyehh1msjfnc7hbl.avi[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0062.310] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi", lpFilePart=0x0) returned 0x56 [0062.310] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FmyEhH1MSJfnC7hBl.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fmyehh1msjfnc7hbl.avi")) returned 0 [0062.310] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", nBufferLength=0x105, lpBuffer=0xf1e2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", lpFilePart=0x0) returned 0x53 [0062.310] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", nBufferLength=0x105, lpBuffer=0xf1e180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", lpFilePart=0x0) returned 0x53 [0062.310] SetErrorMode (uMode=0x1) returned 0x0 [0062.310] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fpgsji mckj_ib.csv"), fInfoLevelId=0x0, lpFileInformation=0xf1e550 | out: lpFileInformation=0xf1e550*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f5d95e0, ftCreationTime.dwHighDateTime=0x1d5ba4e, ftLastAccessTime.dwLowDateTime=0x1403c510, ftLastAccessTime.dwHighDateTime=0x1d5c54e, ftLastWriteTime.dwLowDateTime=0x1403c510, ftLastWriteTime.dwHighDateTime=0x1d5c54e, nFileSizeHigh=0x0, nFileSizeLow=0x9b9a)) returned 1 [0062.310] SetErrorMode (uMode=0x0) returned 0x1 [0062.310] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", lpFilePart=0x0) returned 0x53 [0062.310] SetErrorMode (uMode=0x1) returned 0x0 [0062.310] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fpgsji mckj_ib.csv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.310] GetFileType (hFile=0x30c) returned 0x1 [0062.310] SetErrorMode (uMode=0x0) returned 0x1 [0062.311] GetFileType (hFile=0x30c) returned 0x1 [0062.311] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-39780, lpDistanceToMoveHigh=0xf1e660*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e660*=0) returned 0x36 [0062.311] ReadFile (in: hFile=0x30c, lpBuffer=0x3005800, nNumberOfBytesToRead=0x9b64, lpNumberOfBytesRead=0xf1e4f8, lpOverlapped=0x0 | out: lpBuffer=0x3005800*, lpNumberOfBytesRead=0xf1e4f8*=0x9b64, lpOverlapped=0x0) returned 1 [0062.311] CloseHandle (hObject=0x30c) returned 1 [0062.311] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", lpFilePart=0x0) returned 0x53 [0062.311] SetErrorMode (uMode=0x1) returned 0x0 [0062.311] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fpgsji mckj_ib.csv"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.312] GetFileType (hFile=0x30c) returned 0x1 [0062.312] SetErrorMode (uMode=0x0) returned 0x1 [0062.312] GetFileType (hFile=0x30c) returned 0x1 [0062.312] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e618 | out: lpFileSizeHigh=0xf1e618*=0x0) returned 0x9b9a [0062.312] SetFilePointer (in: hFile=0x30c, lDistanceToMove=54, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x36 [0062.312] SetEndOfFile (hFile=0x30c) returned 1 [0062.314] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x0 [0062.314] CloseHandle (hObject=0x30c) returned 1 [0062.325] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", nBufferLength=0x105, lpBuffer=0xf1df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", lpFilePart=0x0) returned 0x53 [0062.325] SetErrorMode (uMode=0x1) returned 0x0 [0062.325] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fpgsji mckj_ib.csv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0062.325] GetFileType (hFile=0x30c) returned 0x1 [0062.325] SetErrorMode (uMode=0x0) returned 0x1 [0062.325] GetFileType (hFile=0x30c) returned 0x1 [0062.325] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e3a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e3a0*=0) returned 0x36 [0062.325] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.326] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.326] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.327] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.327] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.327] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.327] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.327] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.328] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.328] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.328] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.328] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.328] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.328] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e468, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e468*=0x1000, lpOverlapped=0x0) returned 1 [0062.328] WriteFile (in: hFile=0x30c, lpBuffer=0x3062940*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3062940*, lpNumberOfBytesWritten=0xf1e498*=0x2bf, lpOverlapped=0x0) returned 1 [0062.329] CloseHandle (hObject=0x30c) returned 1 [0062.330] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", lpFilePart=0x0) returned 0x53 [0062.330] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x83 [0062.330] SetErrorMode (uMode=0x1) returned 0x0 [0062.330] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fpgsji mckj_ib.csv"), fInfoLevelId=0x0, lpFileInformation=0xf1e4d0 | out: lpFileInformation=0xf1e4d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f5d95e0, ftCreationTime.dwHighDateTime=0x1d5ba4e, ftLastAccessTime.dwLowDateTime=0x1403c510, ftLastAccessTime.dwHighDateTime=0x1d5c54e, ftLastWriteTime.dwLowDateTime=0xdb36532b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xe2f5)) returned 1 [0062.330] SetErrorMode (uMode=0x0) returned 0x1 [0062.331] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fpgsji mckj_ib.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fpgsji mckj_ib.csv[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0062.331] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv", lpFilePart=0x0) returned 0x53 [0062.331] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\FpGsji mckJ_Ib.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\fpgsji mckj_ib.csv")) returned 0 [0062.331] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", nBufferLength=0x105, lpBuffer=0xf1e2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", lpFilePart=0x0) returned 0x4b [0062.331] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", nBufferLength=0x105, lpBuffer=0xf1e180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", lpFilePart=0x0) returned 0x4b [0062.331] SetErrorMode (uMode=0x1) returned 0x0 [0062.331] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\rtlz_6.flv"), fInfoLevelId=0x0, lpFileInformation=0xf1e550 | out: lpFileInformation=0xf1e550*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9cc62a0, ftCreationTime.dwHighDateTime=0x1d5b8a4, ftLastAccessTime.dwLowDateTime=0x95f3bdb0, ftLastAccessTime.dwHighDateTime=0x1d5c232, ftLastWriteTime.dwLowDateTime=0x95f3bdb0, ftLastWriteTime.dwHighDateTime=0x1d5c232, nFileSizeHigh=0x0, nFileSizeLow=0x102de)) returned 1 [0062.331] SetErrorMode (uMode=0x0) returned 0x1 [0062.332] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", lpFilePart=0x0) returned 0x4b [0062.332] SetErrorMode (uMode=0x1) returned 0x0 [0062.332] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\rtlz_6.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.332] GetFileType (hFile=0x30c) returned 0x1 [0062.332] SetErrorMode (uMode=0x0) returned 0x1 [0062.332] GetFileType (hFile=0x30c) returned 0x1 [0062.332] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-66222, lpDistanceToMoveHigh=0xf1e660*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e660*=0) returned 0x30 [0062.332] ReadFile (in: hFile=0x30c, lpBuffer=0x3064a80, nNumberOfBytesToRead=0x102ae, lpNumberOfBytesRead=0xf1e4f8, lpOverlapped=0x0 | out: lpBuffer=0x3064a80*, lpNumberOfBytesRead=0xf1e4f8*=0x102ae, lpOverlapped=0x0) returned 1 [0062.332] CloseHandle (hObject=0x30c) returned 1 [0062.332] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", lpFilePart=0x0) returned 0x4b [0062.332] SetErrorMode (uMode=0x1) returned 0x0 [0062.333] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\rtlz_6.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.333] GetFileType (hFile=0x30c) returned 0x1 [0062.333] SetErrorMode (uMode=0x0) returned 0x1 [0062.333] GetFileType (hFile=0x30c) returned 0x1 [0062.333] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e618 | out: lpFileSizeHigh=0xf1e618*=0x0) returned 0x102de [0062.333] SetFilePointer (in: hFile=0x30c, lDistanceToMove=48, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x30 [0062.333] SetEndOfFile (hFile=0x30c) returned 1 [0062.335] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x0 [0062.335] CloseHandle (hObject=0x30c) returned 1 [0062.439] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", nBufferLength=0x105, lpBuffer=0xf1df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", lpFilePart=0x0) returned 0x4b [0062.439] SetErrorMode (uMode=0x1) returned 0x0 [0062.439] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\rtlz_6.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0062.439] GetFileType (hFile=0x30c) returned 0x1 [0062.439] SetErrorMode (uMode=0x0) returned 0x1 [0062.439] GetFileType (hFile=0x30c) returned 0x1 [0062.439] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e3a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e3a0*=0) returned 0x30 [0062.440] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.440] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.441] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.441] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.441] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.441] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.441] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.442] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.442] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.442] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.442] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.442] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.442] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.443] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.443] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.443] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.443] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.443] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.443] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.444] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.444] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.444] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.444] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.444] WriteFile (in: hFile=0x30c, lpBuffer=0x30ea1b0*, nNumberOfBytesToWrite=0x96b, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x30ea1b0*, lpNumberOfBytesWritten=0xf1e498*=0x96b, lpOverlapped=0x0) returned 1 [0062.444] CloseHandle (hObject=0x30c) returned 1 [0062.507] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", lpFilePart=0x0) returned 0x4b [0062.507] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x7b [0062.507] SetErrorMode (uMode=0x1) returned 0x0 [0062.507] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\rtlz_6.flv"), fInfoLevelId=0x0, lpFileInformation=0xf1e4d0 | out: lpFileInformation=0xf1e4d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9cc62a0, ftCreationTime.dwHighDateTime=0x1d5b8a4, ftLastAccessTime.dwLowDateTime=0x95f3bdb0, ftLastAccessTime.dwHighDateTime=0x1d5c232, ftLastWriteTime.dwLowDateTime=0xdb470357, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1799b)) returned 1 [0062.507] SetErrorMode (uMode=0x0) returned 0x1 [0062.507] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\rtlz_6.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\rtlz_6.flv[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0062.595] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv", lpFilePart=0x0) returned 0x4b [0062.595] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\rtLz_6.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\rtlz_6.flv")) returned 0 [0062.596] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", nBufferLength=0x105, lpBuffer=0xf1e2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", lpFilePart=0x0) returned 0x56 [0062.596] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", nBufferLength=0x105, lpBuffer=0xf1e180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", lpFilePart=0x0) returned 0x56 [0062.596] SetErrorMode (uMode=0x1) returned 0x0 [0062.596] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\vuigmg-6k-bn djnu.gif"), fInfoLevelId=0x0, lpFileInformation=0xf1e550 | out: lpFileInformation=0xf1e550*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7667a0, ftCreationTime.dwHighDateTime=0x1d5bd26, ftLastAccessTime.dwLowDateTime=0x625de2d0, ftLastAccessTime.dwHighDateTime=0x1d5c167, ftLastWriteTime.dwLowDateTime=0x625de2d0, ftLastWriteTime.dwHighDateTime=0x1d5c167, nFileSizeHigh=0x0, nFileSizeLow=0xf11d)) returned 1 [0062.596] SetErrorMode (uMode=0x0) returned 0x1 [0062.596] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", lpFilePart=0x0) returned 0x56 [0062.596] SetErrorMode (uMode=0x1) returned 0x0 [0062.596] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\vuigmg-6k-bn djnu.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.596] GetFileType (hFile=0x30c) returned 0x1 [0062.597] SetErrorMode (uMode=0x0) returned 0x1 [0062.597] GetFileType (hFile=0x30c) returned 0x1 [0062.597] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-61659, lpDistanceToMoveHigh=0xf1e660*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e660*=0) returned 0x42 [0062.597] ReadFile (in: hFile=0x30c, lpBuffer=0x30ec2f8, nNumberOfBytesToRead=0xf0db, lpNumberOfBytesRead=0xf1e4f8, lpOverlapped=0x0 | out: lpBuffer=0x30ec2f8*, lpNumberOfBytesRead=0xf1e4f8*=0xf0db, lpOverlapped=0x0) returned 1 [0062.597] CloseHandle (hObject=0x30c) returned 1 [0062.597] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", lpFilePart=0x0) returned 0x56 [0062.597] SetErrorMode (uMode=0x1) returned 0x0 [0062.597] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\vuigmg-6k-bn djnu.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.598] GetFileType (hFile=0x30c) returned 0x1 [0062.598] SetErrorMode (uMode=0x0) returned 0x1 [0062.598] GetFileType (hFile=0x30c) returned 0x1 [0062.598] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e618 | out: lpFileSizeHigh=0xf1e618*=0x0) returned 0xf11d [0062.598] SetFilePointer (in: hFile=0x30c, lDistanceToMove=66, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x42 [0062.598] SetEndOfFile (hFile=0x30c) returned 1 [0062.600] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x0 [0062.600] CloseHandle (hObject=0x30c) returned 1 [0062.654] VirtualAlloc (lpAddress=0x13282000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x13282000 [0062.665] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", nBufferLength=0x105, lpBuffer=0xf1df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", lpFilePart=0x0) returned 0x56 [0062.665] SetErrorMode (uMode=0x1) returned 0x0 [0062.665] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\vuigmg-6k-bn djnu.gif"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0062.666] GetFileType (hFile=0x30c) returned 0x1 [0062.666] SetErrorMode (uMode=0x0) returned 0x1 [0062.666] GetFileType (hFile=0x30c) returned 0x1 [0062.666] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e3a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e3a0*=0) returned 0x42 [0062.666] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.667] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.667] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.667] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.668] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.668] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.668] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.668] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.668] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.669] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.669] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.669] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.669] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.669] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.670] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.670] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.670] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.670] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.671] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.671] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.671] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0x1000, lpOverlapped=0x0) returned 1 [0062.672] WriteFile (in: hFile=0x30c, lpBuffer=0x316aec0*, nNumberOfBytesToWrite=0xf6b, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x316aec0*, lpNumberOfBytesWritten=0xf1e498*=0xf6b, lpOverlapped=0x0) returned 1 [0062.672] CloseHandle (hObject=0x30c) returned 1 [0062.739] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", lpFilePart=0x0) returned 0x56 [0062.739] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x86 [0062.739] SetErrorMode (uMode=0x1) returned 0x0 [0062.739] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\vuigmg-6k-bn djnu.gif"), fInfoLevelId=0x0, lpFileInformation=0xf1e4d0 | out: lpFileInformation=0xf1e4d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7667a0, ftCreationTime.dwHighDateTime=0x1d5bd26, ftLastAccessTime.dwLowDateTime=0x625de2d0, ftLastAccessTime.dwHighDateTime=0x1d5c167, ftLastWriteTime.dwLowDateTime=0xdb6b0068, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x15fad)) returned 1 [0062.739] SetErrorMode (uMode=0x0) returned 0x1 [0062.739] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\vuigmg-6k-bn djnu.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\vuigmg-6k-bn djnu.gif[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0062.939] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif", lpFilePart=0x0) returned 0x56 [0062.939] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\VUIgmg-6k-bN DJNU.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\vuigmg-6k-bn djnu.gif")) returned 0 [0062.939] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", nBufferLength=0x105, lpBuffer=0xf1e2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", lpFilePart=0x0) returned 0x55 [0062.939] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", nBufferLength=0x105, lpBuffer=0xf1e180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", lpFilePart=0x0) returned 0x55 [0062.939] SetErrorMode (uMode=0x1) returned 0x0 [0062.939] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\xrsxrtnv8ibyibsf.mp3"), fInfoLevelId=0x0, lpFileInformation=0xf1e550 | out: lpFileInformation=0xf1e550*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd197910, ftCreationTime.dwHighDateTime=0x1d5c044, ftLastAccessTime.dwLowDateTime=0xc5b05840, ftLastAccessTime.dwHighDateTime=0x1d5c248, ftLastWriteTime.dwLowDateTime=0xc5b05840, ftLastWriteTime.dwHighDateTime=0x1d5c248, nFileSizeHigh=0x0, nFileSizeLow=0x7a2)) returned 1 [0062.939] SetErrorMode (uMode=0x0) returned 0x1 [0062.940] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", lpFilePart=0x0) returned 0x55 [0062.940] SetErrorMode (uMode=0x1) returned 0x0 [0062.940] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\xrsxrtnv8ibyibsf.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.940] GetFileType (hFile=0x30c) returned 0x1 [0062.940] SetErrorMode (uMode=0x0) returned 0x1 [0062.940] GetFileType (hFile=0x30c) returned 0x1 [0062.940] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-1872, lpDistanceToMoveHigh=0xf1e660*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e660*=0) returned 0x52 [0062.940] ReadFile (in: hFile=0x30c, lpBuffer=0x316db58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e4f8, lpOverlapped=0x0 | out: lpBuffer=0x316db58*, lpNumberOfBytesRead=0xf1e4f8*=0x750, lpOverlapped=0x0) returned 1 [0062.940] CloseHandle (hObject=0x30c) returned 1 [0062.940] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", lpFilePart=0x0) returned 0x55 [0062.940] SetErrorMode (uMode=0x1) returned 0x0 [0062.940] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\xrsxrtnv8ibyibsf.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0062.940] GetFileType (hFile=0x30c) returned 0x1 [0062.941] SetErrorMode (uMode=0x0) returned 0x1 [0062.941] GetFileType (hFile=0x30c) returned 0x1 [0062.941] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e618 | out: lpFileSizeHigh=0xf1e618*=0x0) returned 0x7a2 [0062.941] SetFilePointer (in: hFile=0x30c, lDistanceToMove=82, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x52 [0062.941] SetEndOfFile (hFile=0x30c) returned 1 [0063.042] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e670*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e670*=0) returned 0x0 [0063.042] CloseHandle (hObject=0x30c) returned 1 [0063.042] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", nBufferLength=0x105, lpBuffer=0xf1df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", lpFilePart=0x0) returned 0x55 [0063.042] SetErrorMode (uMode=0x1) returned 0x0 [0063.042] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\xrsxrtnv8ibyibsf.mp3"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.043] GetFileType (hFile=0x30c) returned 0x1 [0063.043] SetErrorMode (uMode=0x0) returned 0x1 [0063.043] GetFileType (hFile=0x30c) returned 0x1 [0063.043] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e3a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e3a0*=0) returned 0x52 [0063.043] WriteFile (in: hFile=0x30c, lpBuffer=0x3176e70*, nNumberOfBytesToWrite=0xabf, lpNumberOfBytesWritten=0xf1e498, lpOverlapped=0x0 | out: lpBuffer=0x3176e70*, lpNumberOfBytesWritten=0xf1e498*=0xabf, lpOverlapped=0x0) returned 1 [0063.044] CloseHandle (hObject=0x30c) returned 1 [0063.045] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", lpFilePart=0x0) returned 0x55 [0063.045] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x85 [0063.045] SetErrorMode (uMode=0x1) returned 0x0 [0063.045] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\xrsxrtnv8ibyibsf.mp3"), fInfoLevelId=0x0, lpFileInformation=0xf1e4d0 | out: lpFileInformation=0xf1e4d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd197910, ftCreationTime.dwHighDateTime=0x1d5c044, ftLastAccessTime.dwLowDateTime=0xc5b05840, ftLastAccessTime.dwHighDateTime=0x1d5c248, ftLastWriteTime.dwLowDateTime=0xdba1d9cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xb11)) returned 1 [0063.045] SetErrorMode (uMode=0x0) returned 0x1 [0063.045] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\xrsxrtnv8ibyibsf.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\xrsxrtnv8ibyibsf.mp3[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0063.045] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3", lpFilePart=0x0) returned 0x55 [0063.045] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\xRSxrtnv8iByIbSF.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\xrsxrtnv8ibyibsf.mp3")) returned 0 [0063.046] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1dfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x58 [0063.046] SetErrorMode (uMode=0x1) returned 0x0 [0063.046] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\#DECRYPT MY FILES#.html" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\euwzwkkhgoly\\4yp7hqqhs\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.046] GetFileType (hFile=0x30c) returned 0x1 [0063.046] SetErrorMode (uMode=0x0) returned 0x1 [0063.046] GetFileType (hFile=0x30c) returned 0x1 [0063.046] WriteFile (in: hFile=0x30c, lpBuffer=0x317a378*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e548, lpOverlapped=0x0 | out: lpBuffer=0x317a378*, lpNumberOfBytesWritten=0xf1e548*=0x1000, lpOverlapped=0x0) returned 1 [0063.048] WriteFile (in: hFile=0x30c, lpBuffer=0x317a378*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e548, lpOverlapped=0x0 | out: lpBuffer=0x317a378*, lpNumberOfBytesWritten=0xf1e548*=0x443, lpOverlapped=0x0) returned 1 [0063.048] CloseHandle (hObject=0x30c) returned 1 [0063.048] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS", nBufferLength=0x105, lpBuffer=0xf1e1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS", lpFilePart=0x0) returned 0x40 [0063.048] SetErrorMode (uMode=0x1) returned 0x0 [0063.048] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\euwZWkKHGolY\\4YP7HqQHS\\*", lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13545eb0, ftCreationTime.dwHighDateTime=0x1d5c33f, ftLastAccessTime.dwLowDateTime=0xdba1d9cb, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdba1d9cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0063.049] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e380 | out: lpFindFileData=0xf1e380*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13545eb0, ftCreationTime.dwHighDateTime=0x1d5c33f, ftLastAccessTime.dwLowDateTime=0xdba1d9cb, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdba1d9cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e380 | out: lpFindFileData=0xf1e380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdba1d9cb, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdba1d9cb, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdba43ba3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e380 | out: lpFindFileData=0xf1e380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd043c90, ftCreationTime.dwHighDateTime=0x1d5bf09, ftLastAccessTime.dwLowDateTime=0xda17ab90, ftLastAccessTime.dwHighDateTime=0x1d5c544, ftLastWriteTime.dwLowDateTime=0xdb0dce96, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1696d, dwReserved0=0x0, dwReserved1=0x0, cFileName="DDTioX.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="DDTIOX~1.PRT")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e380 | out: lpFindFileData=0xf1e380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf968aea0, ftCreationTime.dwHighDateTime=0x1d5be86, ftLastAccessTime.dwLowDateTime=0x545c3d50, ftLastAccessTime.dwHighDateTime=0x1d5beef, ftLastWriteTime.dwLowDateTime=0xdb2342d6, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x11627, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEa-lpYoEt2.swf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="EEA-LP~1.PRT")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e380 | out: lpFindFileData=0xf1e380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x981f7cd0, ftCreationTime.dwHighDateTime=0x1d5bbdb, ftLastAccessTime.dwLowDateTime=0xf8c6b440, ftLastAccessTime.dwHighDateTime=0x1d5b8de, ftLastWriteTime.dwLowDateTime=0xdb318f2e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1ff09, dwReserved0=0x0, dwReserved1=0x0, cFileName="FmyEhH1MSJfnC7hBl.avi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="FMYEHH~1.PRT")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e380 | out: lpFindFileData=0xf1e380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f5d95e0, ftCreationTime.dwHighDateTime=0x1d5ba4e, ftLastAccessTime.dwLowDateTime=0x1403c510, ftLastAccessTime.dwHighDateTime=0x1d5c54e, ftLastWriteTime.dwLowDateTime=0xdb36532b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xe2f5, dwReserved0=0x0, dwReserved1=0x0, cFileName="FpGsji mckJ_Ib.csv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="FPGSJI~1.PRT")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e380 | out: lpFindFileData=0xf1e380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9cc62a0, ftCreationTime.dwHighDateTime=0x1d5b8a4, ftLastAccessTime.dwLowDateTime=0x95f3bdb0, ftLastAccessTime.dwHighDateTime=0x1d5c232, ftLastWriteTime.dwLowDateTime=0xdb470357, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1799b, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtLz_6.flv[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="RTLZ_6~1.PRT")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e380 | out: lpFindFileData=0xf1e380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7667a0, ftCreationTime.dwHighDateTime=0x1d5bd26, ftLastAccessTime.dwLowDateTime=0x625de2d0, ftLastAccessTime.dwHighDateTime=0x1d5c167, ftLastWriteTime.dwLowDateTime=0xdb6b0068, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x15fad, dwReserved0=0x0, dwReserved1=0x0, cFileName="VUIgmg-6k-bN DJNU.gif[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="VUIGMG~1.PRT")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e380 | out: lpFindFileData=0xf1e380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd197910, ftCreationTime.dwHighDateTime=0x1d5c044, ftLastAccessTime.dwLowDateTime=0xc5b05840, ftLastAccessTime.dwHighDateTime=0x1d5c248, ftLastWriteTime.dwLowDateTime=0xdba1d9cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xb11, dwReserved0=0x0, dwReserved1=0x0, cFileName="xRSxrtnv8iByIbSF.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="XRSXRT~1.PRT")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x10b3110, lpFindFileData=0xf1e380 | out: lpFindFileData=0xf1e380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd197910, ftCreationTime.dwHighDateTime=0x1d5c044, ftLastAccessTime.dwLowDateTime=0xc5b05840, ftLastAccessTime.dwHighDateTime=0x1d5c248, ftLastWriteTime.dwLowDateTime=0xdba1d9cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xb11, dwReserved0=0x0, dwReserved1=0x0, cFileName="xRSxrtnv8iByIbSF.mp3[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="XRSXRT~1.PRT")) returned 0 [0063.049] FindClose (in: hFindFile=0x10b3110 | out: hFindFile=0x10b3110) returned 1 [0063.049] SetErrorMode (uMode=0x0) returned 0x1 [0063.049] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0063.049] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0063.050] CoTaskMemFree (pv=0x10bd8a0) [0063.050] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0063.050] CoCreateGuid (in: pguid=0xf1e6d0 | out: pguid=0xf1e6d0*(Data1=0xab56a875, Data2=0x30dd, Data3=0x4e48, Data4=([0]=0x9f, [1]=0xfe, [2]=0x4, [3]=0xf5, [4]=0xc2, [5]=0x65, [6]=0x63, [7]=0x75))) returned 0x0 [0063.050] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0063.050] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0063.050] CoTaskMemFree (pv=0x10bd680) [0063.050] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0063.050] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint", lpFilePart=0x0) returned 0x2e [0063.050] SetErrorMode (uMode=0x1) returned 0x0 [0063.050] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\*.*", lpFindFileData=0xf1e460 | out: lpFindFileData=0xf1e460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0b24690, ftCreationTime.dwHighDateTime=0x1d5b8be, ftLastAccessTime.dwLowDateTime=0x6eaf1540, ftLastAccessTime.dwHighDateTime=0x1d5c5b8, ftLastWriteTime.dwLowDateTime=0x6eaf1540, ftLastWriteTime.dwHighDateTime=0x1d5c5b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0063.050] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e470 | out: lpFindFileData=0xf1e470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0b24690, ftCreationTime.dwHighDateTime=0x1d5b8be, ftLastAccessTime.dwLowDateTime=0x6eaf1540, ftLastAccessTime.dwHighDateTime=0x1d5c5b8, ftLastWriteTime.dwLowDateTime=0x6eaf1540, ftLastWriteTime.dwHighDateTime=0x1d5c5b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.051] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e470 | out: lpFindFileData=0xf1e470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37a040b0, ftCreationTime.dwHighDateTime=0x1d5baaf, ftLastAccessTime.dwLowDateTime=0x5c5fd8a0, ftLastAccessTime.dwHighDateTime=0x1d5c321, ftLastWriteTime.dwLowDateTime=0x5c5fd8a0, ftLastWriteTime.dwHighDateTime=0x1d5c321, nFileSizeHigh=0x0, nFileSizeLow=0x14b88, dwReserved0=0x0, dwReserved1=0x0, cFileName="5cMybALc71TfcLGH.bmp", cAlternateFileName="5CMYBA~1.BMP")) returned 1 [0063.051] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e470 | out: lpFindFileData=0xf1e470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d3a8790, ftCreationTime.dwHighDateTime=0x1d5be95, ftLastAccessTime.dwLowDateTime=0xf7463400, ftLastAccessTime.dwHighDateTime=0x1d5bf5b, ftLastWriteTime.dwLowDateTime=0xf7463400, ftLastWriteTime.dwHighDateTime=0x1d5bf5b, nFileSizeHigh=0x0, nFileSizeLow=0x1219d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ktyDE7S1liK5.m4a", cAlternateFileName="KTYDE7~1.M4A")) returned 1 [0063.051] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e470 | out: lpFindFileData=0xf1e470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb53512b0, ftCreationTime.dwHighDateTime=0x1d5b679, ftLastAccessTime.dwLowDateTime=0x1aee99b0, ftLastAccessTime.dwHighDateTime=0x1d5c367, ftLastWriteTime.dwLowDateTime=0x1aee99b0, ftLastWriteTime.dwHighDateTime=0x1d5c367, nFileSizeHigh=0x0, nFileSizeLow=0x16d49, dwReserved0=0x0, dwReserved1=0x0, cFileName="x t0SM5ueqs.xls", cAlternateFileName="XT0SM5~1.XLS")) returned 1 [0063.051] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e470 | out: lpFindFileData=0xf1e470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x316cdea0, ftCreationTime.dwHighDateTime=0x1d5c30c, ftLastAccessTime.dwLowDateTime=0xe64d3080, ftLastAccessTime.dwHighDateTime=0x1d5b68d, ftLastWriteTime.dwLowDateTime=0xe64d3080, ftLastWriteTime.dwHighDateTime=0x1d5b68d, nFileSizeHigh=0x0, nFileSizeLow=0x4671, dwReserved0=0x0, dwReserved1=0x0, cFileName="yxO7usXABrLDPO30.jpg", cAlternateFileName="YXO7US~1.JPG")) returned 1 [0063.051] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e470 | out: lpFindFileData=0xf1e470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x316cdea0, ftCreationTime.dwHighDateTime=0x1d5c30c, ftLastAccessTime.dwLowDateTime=0xe64d3080, ftLastAccessTime.dwHighDateTime=0x1d5b68d, ftLastWriteTime.dwLowDateTime=0xe64d3080, ftLastWriteTime.dwHighDateTime=0x1d5b68d, nFileSizeHigh=0x0, nFileSizeLow=0x4671, dwReserved0=0x0, dwReserved1=0x0, cFileName="yxO7usXABrLDPO30.jpg", cAlternateFileName="YXO7US~1.JPG")) returned 0 [0063.051] FindClose (in: hFindFile=0x10b3a10 | out: hFindFile=0x10b3a10) returned 1 [0063.051] SetErrorMode (uMode=0x0) returned 0x1 [0063.051] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", nBufferLength=0x105, lpBuffer=0xf1e390, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", lpFilePart=0x0) returned 0x43 [0063.051] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", nBufferLength=0x105, lpBuffer=0xf1e240, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", lpFilePart=0x0) returned 0x43 [0063.051] SetErrorMode (uMode=0x1) returned 0x0 [0063.051] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\5cmybalc71tfclgh.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37a040b0, ftCreationTime.dwHighDateTime=0x1d5baaf, ftLastAccessTime.dwLowDateTime=0x5c5fd8a0, ftLastAccessTime.dwHighDateTime=0x1d5c321, ftLastWriteTime.dwLowDateTime=0x5c5fd8a0, ftLastWriteTime.dwHighDateTime=0x1d5c321, nFileSizeHigh=0x0, nFileSizeLow=0x14b88)) returned 1 [0063.051] SetErrorMode (uMode=0x0) returned 0x1 [0063.051] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", lpFilePart=0x0) returned 0x43 [0063.051] SetErrorMode (uMode=0x1) returned 0x0 [0063.052] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\5cmybalc71tfclgh.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.052] GetFileType (hFile=0x30c) returned 0x1 [0063.052] SetErrorMode (uMode=0x0) returned 0x1 [0063.052] GetFileType (hFile=0x30c) returned 0x1 [0063.052] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e720*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e720*=0) returned 0x5189 [0063.052] ReadFile (in: hFile=0x30c, lpBuffer=0x3189910, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e5b8, lpOverlapped=0x0 | out: lpBuffer=0x3189910*, lpNumberOfBytesRead=0xf1e5b8*=0xf9ff, lpOverlapped=0x0) returned 1 [0063.052] CloseHandle (hObject=0x30c) returned 1 [0063.052] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", lpFilePart=0x0) returned 0x43 [0063.052] SetErrorMode (uMode=0x1) returned 0x0 [0063.052] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\5cmybalc71tfclgh.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.053] GetFileType (hFile=0x30c) returned 0x1 [0063.053] SetErrorMode (uMode=0x0) returned 0x1 [0063.053] GetFileType (hFile=0x30c) returned 0x1 [0063.053] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e6d8 | out: lpFileSizeHigh=0xf1e6d8*=0x0) returned 0x14b88 [0063.053] SetFilePointer (in: hFile=0x30c, lDistanceToMove=20873, lpDistanceToMoveHigh=0xf1e730*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e730*=0) returned 0x5189 [0063.053] SetEndOfFile (hFile=0x30c) returned 1 [0063.055] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e730*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e730*=0) returned 0x0 [0063.055] CloseHandle (hObject=0x30c) returned 1 [0063.126] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", nBufferLength=0x105, lpBuffer=0xf1dff0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", lpFilePart=0x0) returned 0x43 [0063.126] SetErrorMode (uMode=0x1) returned 0x0 [0063.126] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\5cmybalc71tfclgh.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.126] GetFileType (hFile=0x30c) returned 0x1 [0063.126] SetErrorMode (uMode=0x0) returned 0x1 [0063.126] GetFileType (hFile=0x30c) returned 0x1 [0063.126] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e460*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e460*=0) returned 0x5189 [0063.126] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.127] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.127] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.128] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.128] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.128] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.128] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.128] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.128] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.129] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.129] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.129] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.129] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.129] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.129] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.130] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.130] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.130] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.130] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.130] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.131] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.131] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.131] WriteFile (in: hFile=0x30c, lpBuffer=0x3013cb8*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3013cb8*, lpNumberOfBytesWritten=0xf1e558*=0xcbf, lpOverlapped=0x0) returned 1 [0063.131] CloseHandle (hObject=0x30c) returned 1 [0063.134] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", lpFilePart=0x0) returned 0x43 [0063.134] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x73 [0063.134] SetErrorMode (uMode=0x1) returned 0x0 [0063.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\5cmybalc71tfclgh.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e590 | out: lpFileInformation=0xf1e590*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37a040b0, ftCreationTime.dwHighDateTime=0x1d5baaf, ftLastAccessTime.dwLowDateTime=0x5c5fd8a0, ftLastAccessTime.dwHighDateTime=0x1d5c321, ftLastWriteTime.dwLowDateTime=0xdbb029d4, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1be48)) returned 1 [0063.134] SetErrorMode (uMode=0x0) returned 0x1 [0063.134] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\5cmybalc71tfclgh.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\5cmybalc71tfclgh.bmp[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0063.135] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", nBufferLength=0x105, lpBuffer=0xf1e350, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp", lpFilePart=0x0) returned 0x43 [0063.135] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\5cMybALc71TfcLGH.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\5cmybalc71tfclgh.bmp")) returned 0 [0063.135] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", nBufferLength=0x105, lpBuffer=0xf1e390, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", lpFilePart=0x0) returned 0x3f [0063.135] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", nBufferLength=0x105, lpBuffer=0xf1e240, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", lpFilePart=0x0) returned 0x3f [0063.135] SetErrorMode (uMode=0x1) returned 0x0 [0063.135] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\ktyde7s1lik5.m4a"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d3a8790, ftCreationTime.dwHighDateTime=0x1d5be95, ftLastAccessTime.dwLowDateTime=0xf7463400, ftLastAccessTime.dwHighDateTime=0x1d5bf5b, ftLastWriteTime.dwLowDateTime=0xf7463400, ftLastWriteTime.dwHighDateTime=0x1d5bf5b, nFileSizeHigh=0x0, nFileSizeLow=0x1219d)) returned 1 [0063.135] SetErrorMode (uMode=0x0) returned 0x1 [0063.135] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", lpFilePart=0x0) returned 0x3f [0063.135] SetErrorMode (uMode=0x1) returned 0x0 [0063.135] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\ktyde7s1lik5.m4a"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.135] GetFileType (hFile=0x30c) returned 0x1 [0063.135] SetErrorMode (uMode=0x0) returned 0x1 [0063.135] GetFileType (hFile=0x30c) returned 0x1 [0063.135] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e720*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e720*=0) returned 0x279e [0063.135] ReadFile (in: hFile=0x30c, lpBuffer=0x3015d58, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e5b8, lpOverlapped=0x0 | out: lpBuffer=0x3015d58*, lpNumberOfBytesRead=0xf1e5b8*=0xf9ff, lpOverlapped=0x0) returned 1 [0063.136] CloseHandle (hObject=0x30c) returned 1 [0063.136] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", lpFilePart=0x0) returned 0x3f [0063.136] SetErrorMode (uMode=0x1) returned 0x0 [0063.136] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\ktyde7s1lik5.m4a"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.136] GetFileType (hFile=0x30c) returned 0x1 [0063.136] SetErrorMode (uMode=0x0) returned 0x1 [0063.136] GetFileType (hFile=0x30c) returned 0x1 [0063.136] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e6d8 | out: lpFileSizeHigh=0xf1e6d8*=0x0) returned 0x1219d [0063.136] SetFilePointer (in: hFile=0x30c, lDistanceToMove=10142, lpDistanceToMoveHigh=0xf1e730*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e730*=0) returned 0x279e [0063.137] SetEndOfFile (hFile=0x30c) returned 1 [0063.139] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e730*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e730*=0) returned 0x0 [0063.139] CloseHandle (hObject=0x30c) returned 1 [0063.216] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", nBufferLength=0x105, lpBuffer=0xf1dff0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", lpFilePart=0x0) returned 0x3f [0063.216] SetErrorMode (uMode=0x1) returned 0x0 [0063.216] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\ktyde7s1lik5.m4a"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.217] GetFileType (hFile=0x30c) returned 0x1 [0063.217] SetErrorMode (uMode=0x0) returned 0x1 [0063.217] GetFileType (hFile=0x30c) returned 0x1 [0063.217] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e460*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e460*=0) returned 0x279e [0063.217] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.218] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.218] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.218] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.227] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.227] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.227] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.227] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.228] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.228] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.228] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.228] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.228] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.228] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.228] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.229] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.229] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.229] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.229] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.229] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.229] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.230] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.230] WriteFile (in: hFile=0x30c, lpBuffer=0x3097f60*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x3097f60*, lpNumberOfBytesWritten=0xf1e558*=0xcbf, lpOverlapped=0x0) returned 1 [0063.230] CloseHandle (hObject=0x30c) returned 1 [0063.232] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", lpFilePart=0x0) returned 0x3f [0063.233] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x6f [0063.233] SetErrorMode (uMode=0x1) returned 0x0 [0063.233] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\ktyde7s1lik5.m4a"), fInfoLevelId=0x0, lpFileInformation=0xf1e590 | out: lpFileInformation=0xf1e590*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d3a8790, ftCreationTime.dwHighDateTime=0x1d5be95, ftLastAccessTime.dwLowDateTime=0xf7463400, ftLastAccessTime.dwHighDateTime=0x1d5bf5b, ftLastWriteTime.dwLowDateTime=0xdbbe7670, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1945d)) returned 1 [0063.233] SetErrorMode (uMode=0x0) returned 0x1 [0063.233] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\ktyde7s1lik5.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\ktyde7s1lik5.m4a[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0063.233] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", nBufferLength=0x105, lpBuffer=0xf1e350, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a", lpFilePart=0x0) returned 0x3f [0063.233] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\ktyDE7S1liK5.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\ktyde7s1lik5.m4a")) returned 0 [0063.233] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", nBufferLength=0x105, lpBuffer=0xf1e390, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", lpFilePart=0x0) returned 0x3e [0063.234] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", nBufferLength=0x105, lpBuffer=0xf1e240, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", lpFilePart=0x0) returned 0x3e [0063.234] SetErrorMode (uMode=0x1) returned 0x0 [0063.234] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\x t0sm5ueqs.xls"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb53512b0, ftCreationTime.dwHighDateTime=0x1d5b679, ftLastAccessTime.dwLowDateTime=0x1aee99b0, ftLastAccessTime.dwHighDateTime=0x1d5c367, ftLastWriteTime.dwLowDateTime=0x1aee99b0, ftLastWriteTime.dwHighDateTime=0x1d5c367, nFileSizeHigh=0x0, nFileSizeLow=0x16d49)) returned 1 [0063.234] SetErrorMode (uMode=0x0) returned 0x1 [0063.236] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", lpFilePart=0x0) returned 0x3e [0063.236] SetErrorMode (uMode=0x1) returned 0x0 [0063.236] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\x t0sm5ueqs.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.236] GetFileType (hFile=0x30c) returned 0x1 [0063.236] SetErrorMode (uMode=0x0) returned 0x1 [0063.236] GetFileType (hFile=0x30c) returned 0x1 [0063.236] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e720*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e720*=0) returned 0x734a [0063.236] ReadFile (in: hFile=0x30c, lpBuffer=0x3099fd8, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e5b8, lpOverlapped=0x0 | out: lpBuffer=0x3099fd8*, lpNumberOfBytesRead=0xf1e5b8*=0xf9ff, lpOverlapped=0x0) returned 1 [0063.237] CloseHandle (hObject=0x30c) returned 1 [0063.237] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", lpFilePart=0x0) returned 0x3e [0063.237] SetErrorMode (uMode=0x1) returned 0x0 [0063.237] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\x t0sm5ueqs.xls"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.237] GetFileType (hFile=0x30c) returned 0x1 [0063.237] SetErrorMode (uMode=0x0) returned 0x1 [0063.237] GetFileType (hFile=0x30c) returned 0x1 [0063.237] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e6d8 | out: lpFileSizeHigh=0xf1e6d8*=0x0) returned 0x16d49 [0063.237] SetFilePointer (in: hFile=0x30c, lDistanceToMove=29514, lpDistanceToMoveHigh=0xf1e730*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e730*=0) returned 0x734a [0063.237] SetEndOfFile (hFile=0x30c) returned 1 [0063.239] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e730*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e730*=0) returned 0x0 [0063.240] CloseHandle (hObject=0x30c) returned 1 [0063.297] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", nBufferLength=0x105, lpBuffer=0xf1dff0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", lpFilePart=0x0) returned 0x3e [0063.297] SetErrorMode (uMode=0x1) returned 0x0 [0063.297] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\x t0sm5ueqs.xls"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.306] GetFileType (hFile=0x30c) returned 0x1 [0063.306] SetErrorMode (uMode=0x0) returned 0x1 [0063.306] GetFileType (hFile=0x30c) returned 0x1 [0063.306] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e460*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e460*=0) returned 0x734a [0063.306] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.307] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.307] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.307] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.308] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.308] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.308] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.308] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.308] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.308] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.309] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.309] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.309] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.309] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.309] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.309] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.310] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.310] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.310] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.310] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.310] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.311] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.311] WriteFile (in: hFile=0x30c, lpBuffer=0x311c100*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x311c100*, lpNumberOfBytesWritten=0xf1e558*=0xcbf, lpOverlapped=0x0) returned 1 [0063.311] CloseHandle (hObject=0x30c) returned 1 [0063.314] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", lpFilePart=0x0) returned 0x3e [0063.314] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x6e [0063.314] SetErrorMode (uMode=0x1) returned 0x0 [0063.314] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\x t0sm5ueqs.xls"), fInfoLevelId=0x0, lpFileInformation=0xf1e590 | out: lpFileInformation=0xf1e590*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb53512b0, ftCreationTime.dwHighDateTime=0x1d5b679, ftLastAccessTime.dwLowDateTime=0x1aee99b0, ftLastAccessTime.dwHighDateTime=0x1d5c367, ftLastWriteTime.dwLowDateTime=0xdbccc498, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1e009)) returned 1 [0063.314] SetErrorMode (uMode=0x0) returned 0x1 [0063.314] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\x t0sm5ueqs.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\x t0sm5ueqs.xls[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0063.315] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", nBufferLength=0x105, lpBuffer=0xf1e350, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls", lpFilePart=0x0) returned 0x3e [0063.315] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\x t0SM5ueqs.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\x t0sm5ueqs.xls")) returned 0 [0063.315] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", nBufferLength=0x105, lpBuffer=0xf1e390, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", lpFilePart=0x0) returned 0x43 [0063.315] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", nBufferLength=0x105, lpBuffer=0xf1e240, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", lpFilePart=0x0) returned 0x43 [0063.315] SetErrorMode (uMode=0x1) returned 0x0 [0063.315] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\yxo7usxabrldpo30.jpg"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x316cdea0, ftCreationTime.dwHighDateTime=0x1d5c30c, ftLastAccessTime.dwLowDateTime=0xe64d3080, ftLastAccessTime.dwHighDateTime=0x1d5b68d, ftLastWriteTime.dwLowDateTime=0xe64d3080, ftLastWriteTime.dwHighDateTime=0x1d5b68d, nFileSizeHigh=0x0, nFileSizeLow=0x4671)) returned 1 [0063.315] SetErrorMode (uMode=0x0) returned 0x1 [0063.315] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", lpFilePart=0x0) returned 0x43 [0063.316] SetErrorMode (uMode=0x1) returned 0x0 [0063.316] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\yxo7usxabrldpo30.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.316] GetFileType (hFile=0x30c) returned 0x1 [0063.316] SetErrorMode (uMode=0x0) returned 0x1 [0063.316] GetFileType (hFile=0x30c) returned 0x1 [0063.316] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18018, lpDistanceToMoveHigh=0xf1e720*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e720*=0) returned 0xf [0063.316] ReadFile (in: hFile=0x30c, lpBuffer=0x311e198, nNumberOfBytesToRead=0x4662, lpNumberOfBytesRead=0xf1e5b8, lpOverlapped=0x0 | out: lpBuffer=0x311e198*, lpNumberOfBytesRead=0xf1e5b8*=0x4662, lpOverlapped=0x0) returned 1 [0063.316] CloseHandle (hObject=0x30c) returned 1 [0063.316] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", lpFilePart=0x0) returned 0x43 [0063.316] SetErrorMode (uMode=0x1) returned 0x0 [0063.316] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\yxo7usxabrldpo30.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.316] GetFileType (hFile=0x30c) returned 0x1 [0063.316] SetErrorMode (uMode=0x0) returned 0x1 [0063.316] GetFileType (hFile=0x30c) returned 0x1 [0063.317] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e6d8 | out: lpFileSizeHigh=0xf1e6d8*=0x0) returned 0x4671 [0063.317] SetFilePointer (in: hFile=0x30c, lDistanceToMove=15, lpDistanceToMoveHigh=0xf1e730*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e730*=0) returned 0xf [0063.317] SetEndOfFile (hFile=0x30c) returned 1 [0063.319] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e730*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e730*=0) returned 0x0 [0063.319] CloseHandle (hObject=0x30c) returned 1 [0063.322] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", nBufferLength=0x105, lpBuffer=0xf1dff0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", lpFilePart=0x0) returned 0x43 [0063.322] SetErrorMode (uMode=0x1) returned 0x0 [0063.322] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\yxo7usxabrldpo30.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.322] GetFileType (hFile=0x30c) returned 0x1 [0063.322] SetErrorMode (uMode=0x0) returned 0x1 [0063.322] GetFileType (hFile=0x30c) returned 0x1 [0063.322] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e460*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e460*=0) returned 0xf [0063.322] WriteFile (in: hFile=0x30c, lpBuffer=0x31645e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x31645e8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.323] WriteFile (in: hFile=0x30c, lpBuffer=0x31645e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x31645e8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.323] WriteFile (in: hFile=0x30c, lpBuffer=0x31645e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x31645e8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.324] WriteFile (in: hFile=0x30c, lpBuffer=0x31645e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x31645e8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.324] WriteFile (in: hFile=0x30c, lpBuffer=0x31645e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x31645e8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.324] WriteFile (in: hFile=0x30c, lpBuffer=0x31645e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x31645e8*, lpNumberOfBytesWritten=0xf1e558*=0x1000, lpOverlapped=0x0) returned 1 [0063.324] WriteFile (in: hFile=0x30c, lpBuffer=0x31645e8*, nNumberOfBytesToWrite=0x6bf, lpNumberOfBytesWritten=0xf1e558, lpOverlapped=0x0 | out: lpBuffer=0x31645e8*, lpNumberOfBytesWritten=0xf1e558*=0x6bf, lpOverlapped=0x0) returned 1 [0063.324] CloseHandle (hObject=0x30c) returned 1 [0063.325] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", lpFilePart=0x0) returned 0x43 [0063.326] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x73 [0063.326] SetErrorMode (uMode=0x1) returned 0x0 [0063.326] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\yxo7usxabrldpo30.jpg"), fInfoLevelId=0x0, lpFileInformation=0xf1e590 | out: lpFileInformation=0xf1e590*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x316cdea0, ftCreationTime.dwHighDateTime=0x1d5c30c, ftLastAccessTime.dwLowDateTime=0xe64d3080, ftLastAccessTime.dwHighDateTime=0x1d5b68d, ftLastWriteTime.dwLowDateTime=0xdbccc498, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x66ce)) returned 1 [0063.326] SetErrorMode (uMode=0x0) returned 0x1 [0063.326] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\yxo7usxabrldpo30.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\yxo7usxabrldpo30.jpg[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0063.326] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", nBufferLength=0x105, lpBuffer=0xf1e350, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg", lpFilePart=0x0) returned 0x43 [0063.326] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\yxO7usXABrLDPO30.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\yxo7usxabrldpo30.jpg")) returned 0 [0063.326] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x46 [0063.327] SetErrorMode (uMode=0x1) returned 0x0 [0063.327] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\#DECRYPT MY FILES#.html" (normalized: "c:\\users\\fd1hvy\\desktop\\urfyazp6ycome0ken\\tint\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.327] GetFileType (hFile=0x30c) returned 0x1 [0063.327] SetErrorMode (uMode=0x0) returned 0x1 [0063.327] GetFileType (hFile=0x30c) returned 0x1 [0063.328] WriteFile (in: hFile=0x30c, lpBuffer=0x31679d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e608, lpOverlapped=0x0 | out: lpBuffer=0x31679d8*, lpNumberOfBytesWritten=0xf1e608*=0x1000, lpOverlapped=0x0) returned 1 [0063.329] WriteFile (in: hFile=0x30c, lpBuffer=0x31679d8*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e608, lpOverlapped=0x0 | out: lpBuffer=0x31679d8*, lpNumberOfBytesWritten=0xf1e608*=0x443, lpOverlapped=0x0) returned 1 [0063.329] CloseHandle (hObject=0x30c) returned 1 [0063.329] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint", lpFilePart=0x0) returned 0x2e [0063.329] SetErrorMode (uMode=0x1) returned 0x0 [0063.329] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\URfyazp6YCOme0Ken\\tint\\*", lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0b24690, ftCreationTime.dwHighDateTime=0x1d5b8be, ftLastAccessTime.dwLowDateTime=0xdbccc498, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdbccc498, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3b30 [0063.329] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0b24690, ftCreationTime.dwHighDateTime=0x1d5b8be, ftLastAccessTime.dwLowDateTime=0xdbccc498, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdbccc498, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.329] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbccc498, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdbccc498, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdbcf255b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0063.329] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37a040b0, ftCreationTime.dwHighDateTime=0x1d5baaf, ftLastAccessTime.dwLowDateTime=0x5c5fd8a0, ftLastAccessTime.dwHighDateTime=0x1d5c321, ftLastWriteTime.dwLowDateTime=0xdbb029d4, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1be48, dwReserved0=0x0, dwReserved1=0x0, cFileName="5cMybALc71TfcLGH.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="5CMYBA~1.PRT")) returned 1 [0063.329] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d3a8790, ftCreationTime.dwHighDateTime=0x1d5be95, ftLastAccessTime.dwLowDateTime=0xf7463400, ftLastAccessTime.dwHighDateTime=0x1d5bf5b, ftLastWriteTime.dwLowDateTime=0xdbbe7670, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1945d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ktyDE7S1liK5.m4a[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="KTYDE7~1.PRT")) returned 1 [0063.330] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb53512b0, ftCreationTime.dwHighDateTime=0x1d5b679, ftLastAccessTime.dwLowDateTime=0x1aee99b0, ftLastAccessTime.dwHighDateTime=0x1d5c367, ftLastWriteTime.dwLowDateTime=0xdbccc498, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1e009, dwReserved0=0x0, dwReserved1=0x0, cFileName="x t0SM5ueqs.xls[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="XT0SM5~1.PRT")) returned 1 [0063.330] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x316cdea0, ftCreationTime.dwHighDateTime=0x1d5c30c, ftLastAccessTime.dwLowDateTime=0xe64d3080, ftLastAccessTime.dwHighDateTime=0x1d5b68d, ftLastWriteTime.dwLowDateTime=0xdbccc498, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x66ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="yxO7usXABrLDPO30.jpg[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="YXO7US~1.PRT")) returned 1 [0063.330] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e440 | out: lpFindFileData=0xf1e440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x316cdea0, ftCreationTime.dwHighDateTime=0x1d5c30c, ftLastAccessTime.dwLowDateTime=0xe64d3080, ftLastAccessTime.dwHighDateTime=0x1d5b68d, ftLastWriteTime.dwLowDateTime=0xdbccc498, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x66ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="yxO7usXABrLDPO30.jpg[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="YXO7US~1.PRT")) returned 0 [0063.330] FindClose (in: hFindFile=0x10b3b30 | out: hFindFile=0x10b3b30) returned 1 [0063.330] SetErrorMode (uMode=0x0) returned 0x1 [0063.643] CoCreateGuid (in: pguid=0xf1e8d0 | out: pguid=0xf1e8d0*(Data1=0x27eff44, Data2=0x20e6, Data3=0x4aa2, Data4=([0]=0xbe, [1]=0xbe, [2]=0xb9, [3]=0x5a, [4]=0xe0, [5]=0x49, [6]=0xd3, [7]=0xfd))) returned 0x0 [0063.644] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0063.644] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0063.644] CoTaskMemFree (pv=0x10be120) [0063.644] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0063.644] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xf1e4c0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0063.644] SetErrorMode (uMode=0x1) returned 0x0 [0063.644] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0xf1e660 | out: lpFindFileData=0xf1e660*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x10b3a10 [0063.645] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0063.645] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0063.645] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0063.645] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0063.645] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0063.645] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0063.645] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0063.645] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x96715303, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x98f4eb01, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd5704f2d, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd5704f2d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7511354, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe7511354, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x98f74cd7, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0063.647] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0063.647] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0063.647] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0063.647] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0063.647] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e670 | out: lpFindFileData=0xf1e670*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0063.647] FindClose (in: hFindFile=0x10b3a10 | out: hFindFile=0x10b3a10) returned 1 [0063.647] SetErrorMode (uMode=0x0) returned 0x1 [0063.648] GetFullPathNameW (in: lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER", nBufferLength=0x105, lpBuffer=0xf1e590, lpFilePart=0x0 | out: lpBuffer="C:\\$WINRE_BACKUP_PARTITION.MARKER", lpFilePart=0x0) returned 0x21 [0063.648] GetFullPathNameW (in: lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER", nBufferLength=0x105, lpBuffer=0xf1e440, lpFilePart=0x0 | out: lpBuffer="C:\\$WINRE_BACKUP_PARTITION.MARKER", lpFilePart=0x0) returned 0x21 [0063.648] SetErrorMode (uMode=0x1) returned 0x0 [0063.648] GetFileAttributesExW (in: lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), fInfoLevelId=0x0, lpFileInformation=0xf1e810 | out: lpFileInformation=0xf1e810*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0063.649] SetErrorMode (uMode=0x0) returned 0x1 [0063.649] GetFullPathNameW (in: lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER", nBufferLength=0x105, lpBuffer=0xf1e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\$WINRE_BACKUP_PARTITION.MARKER", lpFilePart=0x0) returned 0x21 [0063.650] SetErrorMode (uMode=0x1) returned 0x0 [0063.650] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.650] GetFileType (hFile=0x30c) returned 0x1 [0063.650] SetErrorMode (uMode=0x0) returned 0x1 [0063.650] GetFileType (hFile=0x30c) returned 0x1 [0063.650] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e908 | out: lpFileSizeHigh=0xf1e908*=0x0) returned 0x0 [0063.650] CloseHandle (hObject=0x30c) returned 1 [0063.650] GetFullPathNameW (in: lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER", nBufferLength=0x105, lpBuffer=0xf1e320, lpFilePart=0x0 | out: lpBuffer="C:\\$WINRE_BACKUP_PARTITION.MARKER", lpFilePart=0x0) returned 0x21 [0063.650] SetErrorMode (uMode=0x1) returned 0x0 [0063.651] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.651] GetFileType (hFile=0x30c) returned 0x1 [0063.651] SetErrorMode (uMode=0x0) returned 0x1 [0063.651] GetFileType (hFile=0x30c) returned 0x1 [0063.651] SetEndOfFile (hFile=0x30c) returned 1 [0063.651] CloseHandle (hObject=0x30c) returned 1 [0063.651] GetFullPathNameW (in: lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\$WINRE_BACKUP_PARTITION.MARKER", lpFilePart=0x0) returned 0x21 [0063.651] SetErrorMode (uMode=0x1) returned 0x0 [0063.652] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.652] GetFileType (hFile=0x30c) returned 0x1 [0063.652] SetErrorMode (uMode=0x0) returned 0x1 [0063.652] GetFileType (hFile=0x30c) returned 0x1 [0063.652] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e660*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e660*=0) returned 0x0 [0063.652] WriteFile (in: hFile=0x30c, lpBuffer=0x316e1d8*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0xf1e758, lpOverlapped=0x0 | out: lpBuffer=0x316e1d8*, lpNumberOfBytesWritten=0xf1e758*=0xbf, lpOverlapped=0x0) returned 1 [0063.653] CloseHandle (hObject=0x30c) returned 1 [0063.654] GetFullPathNameW (in: lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER", nBufferLength=0x105, lpBuffer=0xf1e540, lpFilePart=0x0 | out: lpBuffer="C:\\$WINRE_BACKUP_PARTITION.MARKER", lpFilePart=0x0) returned 0x21 [0063.654] GetFullPathNameW (in: lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e540, lpFilePart=0x0 | out: lpBuffer="C:\\$WINRE_BACKUP_PARTITION.MARKER[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x51 [0063.654] SetErrorMode (uMode=0x1) returned 0x0 [0063.654] GetFileAttributesExW (in: lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0xdc00437a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf)) returned 1 [0063.654] SetErrorMode (uMode=0x0) returned 0x1 [0063.654] MoveFileW (lpExistingFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), lpNewFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$winre_backup_partition.marker[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0063.655] GetFullPathNameW (in: lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER", nBufferLength=0x105, lpBuffer=0xf1e550, lpFilePart=0x0 | out: lpBuffer="C:\\$WINRE_BACKUP_PARTITION.MARKER", lpFilePart=0x0) returned 0x21 [0063.655] DeleteFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker")) returned 0 [0063.655] GetFullPathNameW (in: lpFileName="C:\\bootmgr", nBufferLength=0x105, lpBuffer=0xf1e590, lpFilePart=0x0 | out: lpBuffer="C:\\bootmgr", lpFilePart=0x0) returned 0xa [0063.655] GetFullPathNameW (in: lpFileName="C:\\bootmgr", nBufferLength=0x105, lpBuffer=0xf1e440, lpFilePart=0x0 | out: lpBuffer="C:\\bootmgr", lpFilePart=0x0) returned 0xa [0063.655] SetErrorMode (uMode=0x1) returned 0x0 [0063.655] GetFileAttributesExW (in: lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), fInfoLevelId=0x0, lpFileInformation=0xf1e810 | out: lpFileInformation=0xf1e810*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da)) returned 1 [0063.657] SetErrorMode (uMode=0x0) returned 0x1 [0063.657] GetFullPathNameW (in: lpFileName="C:\\bootmgr", nBufferLength=0x105, lpBuffer=0xf1e270, lpFilePart=0x0 | out: lpBuffer="C:\\bootmgr", lpFilePart=0x0) returned 0xa [0063.657] SetErrorMode (uMode=0x1) returned 0x0 [0063.657] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.657] GetFileType (hFile=0x30c) returned 0x1 [0063.657] SetErrorMode (uMode=0x0) returned 0x1 [0063.657] GetFileType (hFile=0x30c) returned 0x1 [0063.657] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e920*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e920*=0) returned 0x50ddb [0063.657] ReadFile (in: hFile=0x30c, lpBuffer=0x31888c0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e7b8, lpOverlapped=0x0 | out: lpBuffer=0x31888c0*, lpNumberOfBytesRead=0xf1e7b8*=0xf9ff, lpOverlapped=0x0) returned 1 [0063.781] CloseHandle (hObject=0x30c) returned 1 [0063.781] GetFullPathNameW (in: lpFileName="C:\\bootmgr", nBufferLength=0x105, lpBuffer=0xf1e270, lpFilePart=0x0 | out: lpBuffer="C:\\bootmgr", lpFilePart=0x0) returned 0xa [0063.781] SetErrorMode (uMode=0x1) returned 0x0 [0063.781] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0063.803] SetErrorMode (uMode=0x0) returned 0x1 [0063.804] GetFullPathNameW (in: lpFileName="C:\\BOOTNXT", nBufferLength=0x105, lpBuffer=0xf1e590, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTNXT", lpFilePart=0x0) returned 0xa [0063.804] GetFullPathNameW (in: lpFileName="C:\\BOOTNXT", nBufferLength=0x105, lpBuffer=0xf1e440, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTNXT", lpFilePart=0x0) returned 0xa [0063.805] SetErrorMode (uMode=0x1) returned 0x0 [0063.805] GetFileAttributesExW (in: lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), fInfoLevelId=0x0, lpFileInformation=0xf1e810 | out: lpFileInformation=0xf1e810*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1)) returned 1 [0063.814] SetErrorMode (uMode=0x0) returned 0x1 [0063.814] GetFullPathNameW (in: lpFileName="C:\\BOOTNXT", nBufferLength=0x105, lpBuffer=0xf1e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTNXT", lpFilePart=0x0) returned 0xa [0063.814] SetErrorMode (uMode=0x1) returned 0x0 [0063.814] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.814] GetFileType (hFile=0x30c) returned 0x1 [0063.814] SetErrorMode (uMode=0x0) returned 0x1 [0063.814] GetFileType (hFile=0x30c) returned 0x1 [0063.814] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e908 | out: lpFileSizeHigh=0xf1e908*=0x0) returned 0x1 [0063.814] ReadFile (in: hFile=0x30c, lpBuffer=0x3199878, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e7e8, lpOverlapped=0x0 | out: lpBuffer=0x3199878*, lpNumberOfBytesRead=0xf1e7e8*=0x1, lpOverlapped=0x0) returned 1 [0063.815] CloseHandle (hObject=0x30c) returned 1 [0063.815] GetFullPathNameW (in: lpFileName="C:\\BOOTNXT", nBufferLength=0x105, lpBuffer=0xf1e320, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTNXT", lpFilePart=0x0) returned 0xa [0063.815] SetErrorMode (uMode=0x1) returned 0x0 [0063.816] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.816] GetFileType (hFile=0x30c) returned 0x1 [0063.816] SetErrorMode (uMode=0x0) returned 0x1 [0063.816] GetFileType (hFile=0x30c) returned 0x1 [0063.816] SetEndOfFile (hFile=0x30c) returned 1 [0063.817] CloseHandle (hObject=0x30c) returned 1 [0063.817] GetFullPathNameW (in: lpFileName="C:\\BOOTNXT", nBufferLength=0x105, lpBuffer=0xf1e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTNXT", lpFilePart=0x0) returned 0xa [0063.817] SetErrorMode (uMode=0x1) returned 0x0 [0063.817] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.817] GetFileType (hFile=0x30c) returned 0x1 [0063.817] SetErrorMode (uMode=0x0) returned 0x1 [0063.817] GetFileType (hFile=0x30c) returned 0x1 [0063.817] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e660*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e660*=0) returned 0x0 [0063.818] WriteFile (in: hFile=0x30c, lpBuffer=0x319c0d0*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0xf1e758, lpOverlapped=0x0 | out: lpBuffer=0x319c0d0*, lpNumberOfBytesWritten=0xf1e758*=0xbf, lpOverlapped=0x0) returned 1 [0063.818] CloseHandle (hObject=0x30c) returned 1 [0063.819] GetFullPathNameW (in: lpFileName="C:\\BOOTNXT", nBufferLength=0x105, lpBuffer=0xf1e540, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTNXT", lpFilePart=0x0) returned 0xa [0063.819] GetFullPathNameW (in: lpFileName="C:\\BOOTNXT[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e540, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTNXT[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x3a [0063.820] SetErrorMode (uMode=0x1) returned 0x0 [0063.820] GetFileAttributesExW (in: lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), fInfoLevelId=0x0, lpFileInformation=0xf1e790 | out: lpFileInformation=0xf1e790*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xdc181cec, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf)) returned 1 [0063.820] SetErrorMode (uMode=0x0) returned 0x1 [0063.820] MoveFileW (lpExistingFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="C:\\BOOTNXT[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\bootnxt[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0063.820] GetFullPathNameW (in: lpFileName="C:\\BOOTNXT", nBufferLength=0x105, lpBuffer=0xf1e550, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTNXT", lpFilePart=0x0) returned 0xa [0063.820] DeleteFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt")) returned 0 [0063.820] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0xf1e590, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0063.820] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0xf1e440, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0063.821] SetErrorMode (uMode=0x1) returned 0x0 [0063.821] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), fInfoLevelId=0x0, lpFileInformation=0xf1e810 | out: lpFileInformation=0xf1e810*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0063.821] SetErrorMode (uMode=0x0) returned 0x1 [0063.821] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0xf1e270, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0063.821] SetErrorMode (uMode=0x1) returned 0x0 [0063.821] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.821] GetFileType (hFile=0x30c) returned 0x1 [0063.821] SetErrorMode (uMode=0x0) returned 0x1 [0063.822] GetFileType (hFile=0x30c) returned 0x1 [0063.822] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-8190, lpDistanceToMoveHigh=0xf1e920*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e920*=0) returned 0x2 [0063.822] ReadFile (in: hFile=0x30c, lpBuffer=0x319dee8, nNumberOfBytesToRead=0x1ffe, lpNumberOfBytesRead=0xf1e7b8, lpOverlapped=0x0 | out: lpBuffer=0x319dee8*, lpNumberOfBytesRead=0xf1e7b8*=0x1ffe, lpOverlapped=0x0) returned 1 [0063.829] CloseHandle (hObject=0x30c) returned 1 [0063.829] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0xf1e270, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0063.829] SetErrorMode (uMode=0x1) returned 0x0 [0063.829] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0063.850] SetErrorMode (uMode=0x0) returned 0x1 [0063.851] GetFullPathNameW (in: lpFileName="C:\\hiberfil.sys", nBufferLength=0x105, lpBuffer=0xf1e590, lpFilePart=0x0 | out: lpBuffer="C:\\hiberfil.sys", lpFilePart=0x0) returned 0xf [0063.851] GetFullPathNameW (in: lpFileName="C:\\hiberfil.sys", nBufferLength=0x105, lpBuffer=0xf1e440, lpFilePart=0x0 | out: lpBuffer="C:\\hiberfil.sys", lpFilePart=0x0) returned 0xf [0063.851] SetErrorMode (uMode=0x1) returned 0x0 [0063.852] GetFileAttributesExW (in: lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), fInfoLevelId=0x0, lpFileInformation=0xf1e810 | out: lpFileInformation=0xf1e810*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0063.852] SetErrorMode (uMode=0x0) returned 0x1 [0063.852] SetErrorMode (uMode=0x1) returned 0x0 [0063.852] FindFirstFileW (in: lpFileName="C:\\hiberfil.sys", lpFindFileData=0xf1e4a0 | out: lpFindFileData=0xf1e4a0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x96715303, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 0x10b3230 [0063.852] FindClose (in: hFindFile=0x10b3230 | out: hFindFile=0x10b3230) returned 1 [0063.852] SetErrorMode (uMode=0x0) returned 0x1 [0063.852] GetFullPathNameW (in: lpFileName="C:\\hiberfil.sys", nBufferLength=0x105, lpBuffer=0xf1e270, lpFilePart=0x0 | out: lpBuffer="C:\\hiberfil.sys", lpFilePart=0x0) returned 0xf [0063.852] SetErrorMode (uMode=0x1) returned 0x0 [0063.852] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0063.869] SetErrorMode (uMode=0x0) returned 0x1 [0063.870] GetFullPathNameW (in: lpFileName="C:\\pagefile.sys", nBufferLength=0x105, lpBuffer=0xf1e590, lpFilePart=0x0 | out: lpBuffer="C:\\pagefile.sys", lpFilePart=0x0) returned 0xf [0063.870] GetFullPathNameW (in: lpFileName="C:\\pagefile.sys", nBufferLength=0x105, lpBuffer=0xf1e440, lpFilePart=0x0 | out: lpBuffer="C:\\pagefile.sys", lpFilePart=0x0) returned 0xf [0063.870] SetErrorMode (uMode=0x1) returned 0x0 [0063.870] GetFileAttributesExW (in: lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), fInfoLevelId=0x0, lpFileInformation=0xf1e810 | out: lpFileInformation=0xf1e810*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0063.870] SetErrorMode (uMode=0x0) returned 0x1 [0063.870] SetErrorMode (uMode=0x1) returned 0x0 [0063.870] FindFirstFileW (in: lpFileName="C:\\pagefile.sys", lpFindFileData=0xf1e4a0 | out: lpFindFileData=0xf1e4a0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x98f4eb01, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 0x10b3590 [0063.871] FindClose (in: hFindFile=0x10b3590 | out: hFindFile=0x10b3590) returned 1 [0063.871] SetErrorMode (uMode=0x0) returned 0x1 [0063.871] GetFullPathNameW (in: lpFileName="C:\\pagefile.sys", nBufferLength=0x105, lpBuffer=0xf1e270, lpFilePart=0x0 | out: lpBuffer="C:\\pagefile.sys", lpFilePart=0x0) returned 0xf [0063.871] SetErrorMode (uMode=0x1) returned 0x0 [0063.871] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0063.872] SetErrorMode (uMode=0x0) returned 0x1 [0063.873] GetFullPathNameW (in: lpFileName="C:\\swapfile.sys", nBufferLength=0x105, lpBuffer=0xf1e590, lpFilePart=0x0 | out: lpBuffer="C:\\swapfile.sys", lpFilePart=0x0) returned 0xf [0063.873] GetFullPathNameW (in: lpFileName="C:\\swapfile.sys", nBufferLength=0x105, lpBuffer=0xf1e440, lpFilePart=0x0 | out: lpBuffer="C:\\swapfile.sys", lpFilePart=0x0) returned 0xf [0063.873] SetErrorMode (uMode=0x1) returned 0x0 [0063.873] GetFileAttributesExW (in: lpFileName="C:\\swapfile.sys" (normalized: "c:\\swapfile.sys"), fInfoLevelId=0x0, lpFileInformation=0xf1e810 | out: lpFileInformation=0xf1e810*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0063.873] SetErrorMode (uMode=0x0) returned 0x1 [0063.873] SetErrorMode (uMode=0x1) returned 0x0 [0063.873] FindFirstFileW (in: lpFileName="C:\\swapfile.sys", lpFindFileData=0xf1e4a0 | out: lpFindFileData=0xf1e4a0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x98f74cd7, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 0x10b2db0 [0063.873] FindClose (in: hFindFile=0x10b2db0 | out: hFindFile=0x10b2db0) returned 1 [0063.873] SetErrorMode (uMode=0x0) returned 0x1 [0063.874] GetFullPathNameW (in: lpFileName="C:\\swapfile.sys", nBufferLength=0x105, lpBuffer=0xf1e270, lpFilePart=0x0 | out: lpBuffer="C:\\swapfile.sys", lpFilePart=0x0) returned 0xf [0063.874] SetErrorMode (uMode=0x1) returned 0x0 [0063.874] CreateFileW (lpFileName="C:\\swapfile.sys" (normalized: "c:\\swapfile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0063.875] SetErrorMode (uMode=0x0) returned 0x1 [0063.876] GetFullPathNameW (in: lpFileName="C:\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x1a [0063.876] SetErrorMode (uMode=0x1) returned 0x0 [0063.876] CreateFileW (lpFileName="C:\\#DECRYPT MY FILES#.html" (normalized: "c:\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.879] GetFileType (hFile=0x30c) returned 0x1 [0063.879] SetErrorMode (uMode=0x0) returned 0x1 [0063.879] GetFileType (hFile=0x30c) returned 0x1 [0063.879] WriteFile (in: hFile=0x30c, lpBuffer=0x31d4cd8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e808, lpOverlapped=0x0 | out: lpBuffer=0x31d4cd8*, lpNumberOfBytesWritten=0xf1e808*=0x1000, lpOverlapped=0x0) returned 1 [0063.880] WriteFile (in: hFile=0x30c, lpBuffer=0x31d4cd8*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e808, lpOverlapped=0x0 | out: lpBuffer=0x31d4cd8*, lpNumberOfBytesWritten=0xf1e808*=0x443, lpOverlapped=0x0) returned 1 [0063.880] CloseHandle (hObject=0x30c) returned 1 [0063.881] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0063.881] SetErrorMode (uMode=0x1) returned 0x0 [0063.881] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0xf1e630 | out: lpFindFileData=0xf1e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc21a43e, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdc21a43e, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc21a43e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 0x10b33b0 [0063.881] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 1 [0063.881] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0063.881] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0xdc00437a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="$WINRE~1.PRT")) returned 1 [0063.881] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0063.881] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0063.881] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0063.881] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xdc181cec, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="BOOTNX~1.PRT")) returned 1 [0063.881] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0063.881] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0063.881] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x96715303, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x98f4eb01, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd5704f2d, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd5704f2d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7511354, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe7511354, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x98f74cd7, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e640 | out: lpFindFileData=0xf1e640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0063.882] FindClose (in: hFindFile=0x10b33b0 | out: hFindFile=0x10b33b0) returned 1 [0063.882] SetErrorMode (uMode=0x0) returned 0x1 [0063.883] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0063.883] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0063.883] CoTaskMemFree (pv=0x10bd680) [0063.883] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0063.883] CoCreateGuid (in: pguid=0xf1e810 | out: pguid=0xf1e810*(Data1=0x41e72d8a, Data2=0xb0f3, Data3=0x42fd, Data4=([0]=0x89, [1]=0xac, [2]=0xd0, [3]=0xd4, [4]=0x41, [5]=0x69, [6]=0xbe, [7]=0x7a))) returned 0x0 [0063.883] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0063.883] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0063.883] CoTaskMemFree (pv=0x10bc9c0) [0063.884] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0063.884] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent", lpFilePart=0x0) returned 0xe [0063.884] SetErrorMode (uMode=0x1) returned 0x0 [0063.884] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*.*", lpFindFileData=0xf1e5a0 | out: lpFindFileData=0xf1e5a0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0063.887] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.887] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0063.887] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0063.887] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0063.887] FindClose (in: hFindFile=0x10b3a10 | out: hFindFile=0x10b3a10) returned 1 [0063.887] SetErrorMode (uMode=0x0) returned 0x1 [0063.887] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x26 [0063.887] SetErrorMode (uMode=0x1) returned 0x0 [0063.887] CreateFileW (lpFileName="C:\\$GetCurrent\\#DECRYPT MY FILES#.html" (normalized: "c:\\$getcurrent\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.888] GetFileType (hFile=0x30c) returned 0x1 [0063.888] SetErrorMode (uMode=0x0) returned 0x1 [0063.888] GetFileType (hFile=0x30c) returned 0x1 [0063.888] WriteFile (in: hFile=0x30c, lpBuffer=0x31dac58*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e748, lpOverlapped=0x0 | out: lpBuffer=0x31dac58*, lpNumberOfBytesWritten=0xf1e748*=0x1000, lpOverlapped=0x0) returned 1 [0063.889] WriteFile (in: hFile=0x30c, lpBuffer=0x31dac58*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e748, lpOverlapped=0x0 | out: lpBuffer=0x31dac58*, lpNumberOfBytesWritten=0xf1e748*=0x443, lpOverlapped=0x0) returned 1 [0063.890] CloseHandle (hObject=0x30c) returned 1 [0063.890] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent", lpFilePart=0x0) returned 0xe [0063.890] SetErrorMode (uMode=0x1) returned 0x0 [0063.890] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0xf1e570 | out: lpFindFileData=0xf1e570*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xdc2406c5, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3470 [0063.890] FindNextFileW (in: hFindFile=0x10b3470, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xdc2406c5, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.890] FindNextFileW (in: hFindFile=0x10b3470, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc2406c5, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdc2406c5, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc2406c5, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0063.890] FindNextFileW (in: hFindFile=0x10b3470, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0063.890] FindNextFileW (in: hFindFile=0x10b3470, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0063.890] FindNextFileW (in: hFindFile=0x10b3470, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0063.890] FindClose (in: hFindFile=0x10b3470 | out: hFindFile=0x10b3470) returned 1 [0063.891] SetErrorMode (uMode=0x0) returned 0x1 [0063.891] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0063.891] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0063.891] CoTaskMemFree (pv=0x10be120) [0063.891] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0063.891] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xa8273035, Data2=0x492e, Data3=0x476c, Data4=([0]=0x82, [1]=0x2d, [2]=0xbe, [3]=0x49, [4]=0xf7, [5]=0x79, [6]=0xd2, [7]=0x44))) returned 0x0 [0063.891] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0063.891] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0063.891] CoTaskMemFree (pv=0x10be120) [0063.891] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0063.892] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs", lpFilePart=0x0) returned 0x13 [0063.892] SetErrorMode (uMode=0x1) returned 0x0 [0063.892] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3350 [0063.899] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.899] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0063.899] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0063.899] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0063.899] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0063.899] FindClose (in: hFindFile=0x10b3350 | out: hFindFile=0x10b3350) returned 1 [0063.900] SetErrorMode (uMode=0x0) returned 0x1 [0063.900] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", lpFilePart=0x0) returned 0x39 [0063.900] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", lpFilePart=0x0) returned 0x39 [0063.901] SetErrorMode (uMode=0x1) returned 0x0 [0063.901] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2)) returned 1 [0063.902] SetErrorMode (uMode=0x0) returned 0x1 [0063.902] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", lpFilePart=0x0) returned 0x39 [0063.902] SetErrorMode (uMode=0x1) returned 0x0 [0063.902] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.902] GetFileType (hFile=0x30c) returned 0x1 [0063.902] SetErrorMode (uMode=0x0) returned 0x1 [0063.902] GetFileType (hFile=0x30c) returned 0x1 [0063.902] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-42588, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x56 [0063.903] ReadFile (in: hFile=0x30c, lpBuffer=0x31df7a8, nNumberOfBytesToRead=0xa65c, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x31df7a8*, lpNumberOfBytesRead=0xf1e638*=0xa65c, lpOverlapped=0x0) returned 1 [0063.904] CloseHandle (hObject=0x30c) returned 1 [0063.904] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", lpFilePart=0x0) returned 0x39 [0063.904] SetErrorMode (uMode=0x1) returned 0x0 [0063.904] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0063.905] GetFileType (hFile=0x30c) returned 0x1 [0063.905] SetErrorMode (uMode=0x0) returned 0x1 [0063.905] GetFileType (hFile=0x30c) returned 0x1 [0063.905] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xa6b2 [0063.905] SetFilePointer (in: hFile=0x30c, lDistanceToMove=86, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x56 [0063.905] SetEndOfFile (hFile=0x30c) returned 1 [0063.907] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x0 [0063.907] CloseHandle (hObject=0x30c) returned 1 [0063.973] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", lpFilePart=0x0) returned 0x39 [0063.974] SetErrorMode (uMode=0x1) returned 0x0 [0063.974] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0063.974] GetFileType (hFile=0x30c) returned 0x1 [0063.974] SetErrorMode (uMode=0x0) returned 0x1 [0063.974] GetFileType (hFile=0x30c) returned 0x1 [0063.974] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x56 [0063.974] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.975] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.975] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.976] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.976] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.976] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.976] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.977] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.977] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.977] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.977] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.978] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.978] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.978] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0063.979] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5a8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5a8*=0x1000, lpOverlapped=0x0) returned 1 [0063.979] WriteFile (in: hFile=0x30c, lpBuffer=0x32409c8*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32409c8*, lpNumberOfBytesWritten=0xf1e5d8*=0x2bf, lpOverlapped=0x0) returned 1 [0063.979] CloseHandle (hObject=0x30c) returned 1 [0063.981] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", lpFilePart=0x0) returned 0x39 [0063.981] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x69 [0063.981] SetErrorMode (uMode=0x1) returned 0x0 [0063.981] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xdc325728, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xf315)) returned 1 [0063.981] SetErrorMode (uMode=0x0) returned 0x1 [0063.981] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), lpNewFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0063.989] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", lpFilePart=0x0) returned 0x39 [0063.989] DeleteFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log")) returned 0 [0063.989] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", lpFilePart=0x0) returned 0x34 [0063.989] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", lpFilePart=0x0) returned 0x34 [0063.989] SetErrorMode (uMode=0x1) returned 0x0 [0063.989] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774)) returned 1 [0064.023] SetErrorMode (uMode=0x0) returned 0x1 [0064.023] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", lpFilePart=0x0) returned 0x34 [0064.023] SetErrorMode (uMode=0x1) returned 0x0 [0064.023] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.023] GetFileType (hFile=0x30c) returned 0x1 [0064.023] SetErrorMode (uMode=0x0) returned 0x1 [0064.023] GetFileType (hFile=0x30c) returned 0x1 [0064.023] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-5967, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x25 [0064.023] ReadFile (in: hFile=0x30c, lpBuffer=0x3242a28, nNumberOfBytesToRead=0x174f, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x3242a28*, lpNumberOfBytesRead=0xf1e638*=0x174f, lpOverlapped=0x0) returned 1 [0064.025] CloseHandle (hObject=0x30c) returned 1 [0064.025] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", lpFilePart=0x0) returned 0x34 [0064.026] SetErrorMode (uMode=0x1) returned 0x0 [0064.026] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.026] GetFileType (hFile=0x30c) returned 0x1 [0064.026] SetErrorMode (uMode=0x0) returned 0x1 [0064.026] GetFileType (hFile=0x30c) returned 0x1 [0064.026] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x1774 [0064.026] SetFilePointer (in: hFile=0x30c, lDistanceToMove=37, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x25 [0064.026] SetEndOfFile (hFile=0x30c) returned 1 [0064.028] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x0 [0064.028] CloseHandle (hObject=0x30c) returned 1 [0064.031] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", lpFilePart=0x0) returned 0x34 [0064.031] SetErrorMode (uMode=0x1) returned 0x0 [0064.031] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.031] GetFileType (hFile=0x30c) returned 0x1 [0064.031] SetErrorMode (uMode=0x0) returned 0x1 [0064.031] GetFileType (hFile=0x30c) returned 0x1 [0064.031] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x25 [0064.032] WriteFile (in: hFile=0x30c, lpBuffer=0x3259880*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x3259880*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.033] WriteFile (in: hFile=0x30c, lpBuffer=0x3259880*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5a8, lpOverlapped=0x0 | out: lpBuffer=0x3259880*, lpNumberOfBytesWritten=0xf1e5a8*=0x1000, lpOverlapped=0x0) returned 1 [0064.033] WriteFile (in: hFile=0x30c, lpBuffer=0x3259880*, nNumberOfBytesToWrite=0x213, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x3259880*, lpNumberOfBytesWritten=0xf1e5d8*=0x213, lpOverlapped=0x0) returned 1 [0064.033] CloseHandle (hObject=0x30c) returned 1 [0064.034] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", lpFilePart=0x0) returned 0x34 [0064.034] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x64 [0064.034] SetErrorMode (uMode=0x1) returned 0x0 [0064.034] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xdc397c02, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2238)) returned 1 [0064.034] SetErrorMode (uMode=0x0) returned 0x1 [0064.034] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), lpNewFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.035] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", lpFilePart=0x0) returned 0x34 [0064.035] DeleteFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log")) returned 0 [0064.035] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", lpFilePart=0x0) returned 0x32 [0064.035] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", lpFilePart=0x0) returned 0x32 [0064.035] SetErrorMode (uMode=0x1) returned 0x0 [0064.035] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28)) returned 1 [0064.035] SetErrorMode (uMode=0x0) returned 0x1 [0064.036] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", nBufferLength=0x105, lpBuffer=0xf1e120, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", lpFilePart=0x0) returned 0x32 [0064.036] SetErrorMode (uMode=0x1) returned 0x0 [0064.036] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.036] GetFileType (hFile=0x30c) returned 0x1 [0064.036] SetErrorMode (uMode=0x0) returned 0x1 [0064.036] GetFileType (hFile=0x30c) returned 0x1 [0064.036] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e788 | out: lpFileSizeHigh=0xf1e788*=0x0) returned 0x28 [0064.036] ReadFile (in: hFile=0x30c, lpBuffer=0x325bc10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e668, lpOverlapped=0x0 | out: lpBuffer=0x325bc10*, lpNumberOfBytesRead=0xf1e668*=0x28, lpOverlapped=0x0) returned 1 [0064.037] CloseHandle (hObject=0x30c) returned 1 [0064.037] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", nBufferLength=0x105, lpBuffer=0xf1e1a0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", lpFilePart=0x0) returned 0x32 [0064.037] SetErrorMode (uMode=0x1) returned 0x0 [0064.037] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.037] GetFileType (hFile=0x30c) returned 0x1 [0064.037] SetErrorMode (uMode=0x0) returned 0x1 [0064.037] GetFileType (hFile=0x30c) returned 0x1 [0064.037] SetEndOfFile (hFile=0x30c) returned 1 [0064.038] CloseHandle (hObject=0x30c) returned 1 [0064.038] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", lpFilePart=0x0) returned 0x32 [0064.038] SetErrorMode (uMode=0x1) returned 0x0 [0064.039] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.039] GetFileType (hFile=0x30c) returned 0x1 [0064.039] SetErrorMode (uMode=0x0) returned 0x1 [0064.039] GetFileType (hFile=0x30c) returned 0x1 [0064.039] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x0 [0064.039] WriteFile (in: hFile=0x30c, lpBuffer=0x325e568*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x325e568*, lpNumberOfBytesWritten=0xf1e5d8*=0xbf, lpOverlapped=0x0) returned 1 [0064.040] CloseHandle (hObject=0x30c) returned 1 [0064.042] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", lpFilePart=0x0) returned 0x32 [0064.042] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x62 [0064.042] SetErrorMode (uMode=0x1) returned 0x0 [0064.042] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xdc3be391, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf)) returned 1 [0064.042] SetErrorMode (uMode=0x0) returned 0x1 [0064.042] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), lpNewFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.043] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", lpFilePart=0x0) returned 0x32 [0064.043] DeleteFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log")) returned 0 [0064.043] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e120, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x2b [0064.043] SetErrorMode (uMode=0x1) returned 0x0 [0064.043] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\#DECRYPT MY FILES#.html" (normalized: "c:\\$getcurrent\\logs\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.044] GetFileType (hFile=0x30c) returned 0x1 [0064.044] SetErrorMode (uMode=0x0) returned 0x1 [0064.044] GetFileType (hFile=0x30c) returned 0x1 [0064.044] WriteFile (in: hFile=0x30c, lpBuffer=0x3261830*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e688, lpOverlapped=0x0 | out: lpBuffer=0x3261830*, lpNumberOfBytesWritten=0xf1e688*=0x1000, lpOverlapped=0x0) returned 1 [0064.045] WriteFile (in: hFile=0x30c, lpBuffer=0x3261830*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e688, lpOverlapped=0x0 | out: lpBuffer=0x3261830*, lpNumberOfBytesWritten=0xf1e688*=0x443, lpOverlapped=0x0) returned 1 [0064.045] CloseHandle (hObject=0x30c) returned 1 [0064.045] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\Logs", nBufferLength=0x105, lpBuffer=0xf1e310, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\Logs", lpFilePart=0x0) returned 0x13 [0064.045] SetErrorMode (uMode=0x1) returned 0x0 [0064.045] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0xdc3be391, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc3be391, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3b30 [0064.046] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0xdc3be391, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc3be391, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.046] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc3be391, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdc3be391, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc3be391, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0064.046] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xdc325728, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xf315, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="DOWNLE~1.PRT")) returned 1 [0064.046] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xdc397c02, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2238, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="OOBE_2~1.PRT")) returned 1 [0064.046] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xdc3be391, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="PARTNE~1.PRT")) returned 1 [0064.046] FindNextFileW (in: hFindFile=0x10b3b30, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xdc3be391, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="PARTNE~1.PRT")) returned 0 [0064.046] FindClose (in: hFindFile=0x10b3b30 | out: hFindFile=0x10b3b30) returned 1 [0064.046] SetErrorMode (uMode=0x0) returned 0x1 [0064.046] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0064.046] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0064.046] CoTaskMemFree (pv=0x10be120) [0064.046] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0064.047] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x1c474f73, Data2=0x65f8, Data3=0x4813, Data4=([0]=0x91, [1]=0x58, [2]=0x24, [3]=0x8b, [4]=0x75, [5]=0x5, [6]=0xfe, [7]=0x92))) returned 0x0 [0064.047] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0064.047] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0064.047] CoTaskMemFree (pv=0x10be120) [0064.047] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0064.047] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS", lpFilePart=0x0) returned 0x15 [0064.047] SetErrorMode (uMode=0x1) returned 0x0 [0064.047] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3170 [0064.055] FindNextFileW (in: hFindFile=0x10b3170, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.055] FindNextFileW (in: hFindFile=0x10b3170, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0064.055] FindNextFileW (in: hFindFile=0x10b3170, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0064.055] FindNextFileW (in: hFindFile=0x10b3170, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0064.055] FindNextFileW (in: hFindFile=0x10b3170, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0064.055] FindNextFileW (in: hFindFile=0x10b3170, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0064.055] FindNextFileW (in: hFindFile=0x10b3170, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0064.055] FindClose (in: hFindFile=0x10b3170 | out: hFindFile=0x10b3170) returned 1 [0064.056] SetErrorMode (uMode=0x0) returned 0x1 [0064.056] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", lpFilePart=0x0) returned 0x28 [0064.056] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", lpFilePart=0x0) returned 0x28 [0064.056] SetErrorMode (uMode=0x1) returned 0x0 [0064.057] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8)) returned 1 [0064.072] SetErrorMode (uMode=0x0) returned 0x1 [0064.073] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", lpFilePart=0x0) returned 0x28 [0064.073] SetErrorMode (uMode=0x1) returned 0x0 [0064.073] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.073] GetFileType (hFile=0x30c) returned 0x1 [0064.073] SetErrorMode (uMode=0x0) returned 0x1 [0064.073] GetFileType (hFile=0x30c) returned 0x1 [0064.073] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x138c9 [0064.074] ReadFile (in: hFile=0x30c, lpBuffer=0x32664a8, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x32664a8*, lpNumberOfBytesRead=0xf1e638*=0xf9ff, lpOverlapped=0x0) returned 1 [0064.076] CloseHandle (hObject=0x30c) returned 1 [0064.076] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", lpFilePart=0x0) returned 0x28 [0064.076] SetErrorMode (uMode=0x1) returned 0x0 [0064.076] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.077] GetFileType (hFile=0x30c) returned 0x1 [0064.077] SetErrorMode (uMode=0x0) returned 0x1 [0064.077] GetFileType (hFile=0x30c) returned 0x1 [0064.077] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x232c8 [0064.077] SetFilePointer (in: hFile=0x30c, lDistanceToMove=80073, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x138c9 [0064.077] SetEndOfFile (hFile=0x30c) returned 1 [0064.079] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x0 [0064.079] CloseHandle (hObject=0x30c) returned 1 [0064.108] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", lpFilePart=0x0) returned 0x28 [0064.108] SetErrorMode (uMode=0x1) returned 0x0 [0064.108] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.109] GetFileType (hFile=0x30c) returned 0x1 [0064.109] SetErrorMode (uMode=0x0) returned 0x1 [0064.109] GetFileType (hFile=0x30c) returned 0x1 [0064.109] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x138c9 [0064.109] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.110] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.110] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.110] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.110] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.110] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.111] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.111] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.111] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.111] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.111] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.111] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.112] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.112] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.112] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.112] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.112] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.112] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.112] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.113] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.113] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.113] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0x1000, lpOverlapped=0x0) returned 1 [0064.113] WriteFile (in: hFile=0x30c, lpBuffer=0x32e8570*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32e8570*, lpNumberOfBytesWritten=0xf1e5d8*=0xcbf, lpOverlapped=0x0) returned 1 [0064.113] CloseHandle (hObject=0x30c) returned 1 [0064.154] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", lpFilePart=0x0) returned 0x28 [0064.154] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x58 [0064.154] SetErrorMode (uMode=0x1) returned 0x0 [0064.154] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xdc4c911c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2a588)) returned 1 [0064.154] SetErrorMode (uMode=0x0) returned 0x1 [0064.154] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), lpNewFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.154] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", lpFilePart=0x0) returned 0x28 [0064.154] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll")) returned 0 [0064.155] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", lpFilePart=0x0) returned 0x2c [0064.155] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", lpFilePart=0x0) returned 0x2c [0064.155] SetErrorMode (uMode=0x1) returned 0x0 [0064.155] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c)) returned 1 [0064.156] SetErrorMode (uMode=0x0) returned 0x1 [0064.156] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", lpFilePart=0x0) returned 0x2c [0064.156] SetErrorMode (uMode=0x1) returned 0x0 [0064.156] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.156] GetFileType (hFile=0x30c) returned 0x1 [0064.157] SetErrorMode (uMode=0x0) returned 0x1 [0064.157] GetFileType (hFile=0x30c) returned 0x1 [0064.157] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-117, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x27 [0064.157] ReadFile (in: hFile=0x30c, lpBuffer=0x32ea8e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x32ea8e0*, lpNumberOfBytesRead=0xf1e638*=0x75, lpOverlapped=0x0) returned 1 [0064.159] CloseHandle (hObject=0x30c) returned 1 [0064.159] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", lpFilePart=0x0) returned 0x2c [0064.160] SetErrorMode (uMode=0x1) returned 0x0 [0064.160] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.160] GetFileType (hFile=0x30c) returned 0x1 [0064.160] SetErrorMode (uMode=0x0) returned 0x1 [0064.160] GetFileType (hFile=0x30c) returned 0x1 [0064.160] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x9c [0064.160] SetFilePointer (in: hFile=0x30c, lDistanceToMove=39, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x27 [0064.160] SetEndOfFile (hFile=0x30c) returned 1 [0064.162] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x0 [0064.162] CloseHandle (hObject=0x30c) returned 1 [0064.162] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", lpFilePart=0x0) returned 0x2c [0064.162] SetErrorMode (uMode=0x1) returned 0x0 [0064.162] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.162] GetFileType (hFile=0x30c) returned 0x1 [0064.162] SetErrorMode (uMode=0x0) returned 0x1 [0064.163] GetFileType (hFile=0x30c) returned 0x1 [0064.163] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x27 [0064.163] WriteFile (in: hFile=0x30c, lpBuffer=0x32ed298*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32ed298*, lpNumberOfBytesWritten=0xf1e5d8*=0xbf, lpOverlapped=0x0) returned 1 [0064.163] CloseHandle (hObject=0x30c) returned 1 [0064.164] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", lpFilePart=0x0) returned 0x2c [0064.164] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x5c [0064.164] SetErrorMode (uMode=0x1) returned 0x0 [0064.164] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xdc4c911c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xe6)) returned 1 [0064.164] SetErrorMode (uMode=0x0) returned 0x1 [0064.164] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), lpNewFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.165] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", lpFilePart=0x0) returned 0x2c [0064.165] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini")) returned 0 [0064.165] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", lpFilePart=0x0) returned 0x2e [0064.165] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", lpFilePart=0x0) returned 0x2e [0064.165] SetErrorMode (uMode=0x1) returned 0x0 [0064.165] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241)) returned 1 [0064.166] SetErrorMode (uMode=0x0) returned 0x1 [0064.166] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", lpFilePart=0x0) returned 0x2e [0064.166] SetErrorMode (uMode=0x1) returned 0x0 [0064.166] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.166] GetFileType (hFile=0x30c) returned 0x1 [0064.166] SetErrorMode (uMode=0x0) returned 0x1 [0064.166] GetFileType (hFile=0x30c) returned 0x1 [0064.166] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-468, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x6d [0064.166] ReadFile (in: hFile=0x30c, lpBuffer=0x32ef798, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x32ef798*, lpNumberOfBytesRead=0xf1e638*=0x1d4, lpOverlapped=0x0) returned 1 [0064.168] CloseHandle (hObject=0x30c) returned 1 [0064.168] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", lpFilePart=0x0) returned 0x2e [0064.168] SetErrorMode (uMode=0x1) returned 0x0 [0064.168] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.168] GetFileType (hFile=0x30c) returned 0x1 [0064.168] SetErrorMode (uMode=0x0) returned 0x1 [0064.168] GetFileType (hFile=0x30c) returned 0x1 [0064.168] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x241 [0064.168] SetFilePointer (in: hFile=0x30c, lDistanceToMove=109, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x6d [0064.168] SetEndOfFile (hFile=0x30c) returned 1 [0064.170] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x0 [0064.170] CloseHandle (hObject=0x30c) returned 1 [0064.170] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", lpFilePart=0x0) returned 0x2e [0064.170] SetErrorMode (uMode=0x1) returned 0x0 [0064.171] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.171] GetFileType (hFile=0x30c) returned 0x1 [0064.171] SetErrorMode (uMode=0x0) returned 0x1 [0064.171] GetFileType (hFile=0x30c) returned 0x1 [0064.171] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x6d [0064.171] WriteFile (in: hFile=0x30c, lpBuffer=0x32f3350*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32f3350*, lpNumberOfBytesWritten=0xf1e5d8*=0x2bf, lpOverlapped=0x0) returned 1 [0064.172] CloseHandle (hObject=0x30c) returned 1 [0064.173] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", lpFilePart=0x0) returned 0x2e [0064.173] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x5e [0064.173] SetErrorMode (uMode=0x1) returned 0x0 [0064.173] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xdc4ef3a9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x32c)) returned 1 [0064.173] SetErrorMode (uMode=0x0) returned 0x1 [0064.173] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), lpNewFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.173] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", lpFilePart=0x0) returned 0x2e [0064.174] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd")) returned 0 [0064.174] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", lpFilePart=0x0) returned 0x21 [0064.174] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", lpFilePart=0x0) returned 0x21 [0064.174] SetErrorMode (uMode=0x1) returned 0x0 [0064.174] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a)) returned 1 [0064.175] SetErrorMode (uMode=0x0) returned 0x1 [0064.175] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", nBufferLength=0x105, lpBuffer=0xf1e120, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", lpFilePart=0x0) returned 0x21 [0064.175] SetErrorMode (uMode=0x1) returned 0x0 [0064.175] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.175] GetFileType (hFile=0x30c) returned 0x1 [0064.175] SetErrorMode (uMode=0x0) returned 0x1 [0064.175] GetFileType (hFile=0x30c) returned 0x1 [0064.175] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e788 | out: lpFileSizeHigh=0xf1e788*=0x0) returned 0x4a [0064.175] ReadFile (in: hFile=0x30c, lpBuffer=0x32f5618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e668, lpOverlapped=0x0 | out: lpBuffer=0x32f5618*, lpNumberOfBytesRead=0xf1e668*=0x4a, lpOverlapped=0x0) returned 1 [0064.176] CloseHandle (hObject=0x30c) returned 1 [0064.176] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", nBufferLength=0x105, lpBuffer=0xf1e1a0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", lpFilePart=0x0) returned 0x21 [0064.176] SetErrorMode (uMode=0x1) returned 0x0 [0064.176] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.176] GetFileType (hFile=0x30c) returned 0x1 [0064.176] SetErrorMode (uMode=0x0) returned 0x1 [0064.176] GetFileType (hFile=0x30c) returned 0x1 [0064.176] SetEndOfFile (hFile=0x30c) returned 1 [0064.177] CloseHandle (hObject=0x30c) returned 1 [0064.177] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", lpFilePart=0x0) returned 0x21 [0064.177] SetErrorMode (uMode=0x1) returned 0x0 [0064.177] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.178] GetFileType (hFile=0x30c) returned 0x1 [0064.178] SetErrorMode (uMode=0x0) returned 0x1 [0064.178] GetFileType (hFile=0x30c) returned 0x1 [0064.178] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x0 [0064.178] WriteFile (in: hFile=0x30c, lpBuffer=0x32f7ee0*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32f7ee0*, lpNumberOfBytesWritten=0xf1e5d8*=0xbf, lpOverlapped=0x0) returned 1 [0064.179] CloseHandle (hObject=0x30c) returned 1 [0064.179] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", lpFilePart=0x0) returned 0x21 [0064.179] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\preoobe.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x51 [0064.179] SetErrorMode (uMode=0x1) returned 0x0 [0064.179] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xdc4ef3a9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf)) returned 1 [0064.179] SetErrorMode (uMode=0x0) returned 0x1 [0064.180] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), lpNewFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.180] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\preoobe.cmd", lpFilePart=0x0) returned 0x21 [0064.180] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd")) returned 0 [0064.180] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", lpFilePart=0x0) returned 0x27 [0064.180] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", lpFilePart=0x0) returned 0x27 [0064.180] SetErrorMode (uMode=0x1) returned 0x0 [0064.180] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133)) returned 1 [0064.181] SetErrorMode (uMode=0x0) returned 0x1 [0064.181] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", lpFilePart=0x0) returned 0x27 [0064.181] SetErrorMode (uMode=0x1) returned 0x0 [0064.181] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.181] GetFileType (hFile=0x30c) returned 0x1 [0064.181] SetErrorMode (uMode=0x0) returned 0x1 [0064.182] GetFileType (hFile=0x30c) returned 0x1 [0064.182] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-234, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x49 [0064.182] ReadFile (in: hFile=0x30c, lpBuffer=0x32fa248, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x32fa248*, lpNumberOfBytesRead=0xf1e638*=0xea, lpOverlapped=0x0) returned 1 [0064.183] CloseHandle (hObject=0x30c) returned 1 [0064.183] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", lpFilePart=0x0) returned 0x27 [0064.183] SetErrorMode (uMode=0x1) returned 0x0 [0064.183] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.183] GetFileType (hFile=0x30c) returned 0x1 [0064.183] SetErrorMode (uMode=0x0) returned 0x1 [0064.183] GetFileType (hFile=0x30c) returned 0x1 [0064.183] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x133 [0064.183] SetFilePointer (in: hFile=0x30c, lDistanceToMove=73, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x49 [0064.183] SetEndOfFile (hFile=0x30c) returned 1 [0064.185] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x0 [0064.185] CloseHandle (hObject=0x30c) returned 1 [0064.185] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", lpFilePart=0x0) returned 0x27 [0064.185] SetErrorMode (uMode=0x1) returned 0x0 [0064.185] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.185] GetFileType (hFile=0x30c) returned 0x1 [0064.185] SetErrorMode (uMode=0x0) returned 0x1 [0064.186] GetFileType (hFile=0x30c) returned 0x1 [0064.186] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x49 [0064.189] WriteFile (in: hFile=0x30c, lpBuffer=0x32fd1d8*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x32fd1d8*, lpNumberOfBytesWritten=0xf1e5d8*=0x16b, lpOverlapped=0x0) returned 1 [0064.189] CloseHandle (hObject=0x30c) returned 1 [0064.190] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", lpFilePart=0x0) returned 0x27 [0064.190] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x57 [0064.190] SetErrorMode (uMode=0x1) returned 0x0 [0064.190] GetFileAttributesExW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xdc515338, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b4)) returned 1 [0064.190] SetErrorMode (uMode=0x0) returned 0x1 [0064.190] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), lpNewFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.191] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", lpFilePart=0x0) returned 0x27 [0064.191] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd")) returned 0 [0064.191] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e120, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x2d [0064.191] SetErrorMode (uMode=0x1) returned 0x0 [0064.191] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\#DECRYPT MY FILES#.html" (normalized: "c:\\$getcurrent\\safeos\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.191] GetFileType (hFile=0x30c) returned 0x1 [0064.191] SetErrorMode (uMode=0x0) returned 0x1 [0064.192] GetFileType (hFile=0x30c) returned 0x1 [0064.192] WriteFile (in: hFile=0x30c, lpBuffer=0x3300458*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e688, lpOverlapped=0x0 | out: lpBuffer=0x3300458*, lpNumberOfBytesWritten=0xf1e688*=0x1000, lpOverlapped=0x0) returned 1 [0064.193] WriteFile (in: hFile=0x30c, lpBuffer=0x3300458*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e688, lpOverlapped=0x0 | out: lpBuffer=0x3300458*, lpNumberOfBytesWritten=0xf1e688*=0x443, lpOverlapped=0x0) returned 1 [0064.193] CloseHandle (hObject=0x30c) returned 1 [0064.193] GetFullPathNameW (in: lpFileName="C:\\$GetCurrent\\SafeOS", nBufferLength=0x105, lpBuffer=0xf1e310, lpFilePart=0x0 | out: lpBuffer="C:\\$GetCurrent\\SafeOS", lpFilePart=0x0) returned 0x15 [0064.193] SetErrorMode (uMode=0x1) returned 0x0 [0064.193] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0xdc515338, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc515338, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2e70 [0064.194] FindNextFileW (in: hFindFile=0x10b2e70, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0xdc515338, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc515338, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.194] FindNextFileW (in: hFindFile=0x10b2e70, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc515338, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdc515338, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc515338, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0064.194] FindNextFileW (in: hFindFile=0x10b2e70, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xdc4c911c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="GETCUR~1.PRT")) returned 1 [0064.194] FindNextFileW (in: hFindFile=0x10b2e70, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xdc4c911c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="GETCUR~2.PRT")) returned 1 [0064.194] FindNextFileW (in: hFindFile=0x10b2e70, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xdc4ef3a9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="PARTNE~1.PRT")) returned 1 [0064.194] FindNextFileW (in: hFindFile=0x10b2e70, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xdc4ef3a9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="PREOOB~1.PRT")) returned 1 [0064.194] FindNextFileW (in: hFindFile=0x10b2e70, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xdc515338, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="SETUPC~1.PRT")) returned 1 [0064.194] FindNextFileW (in: hFindFile=0x10b2e70, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xdc515338, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="SETUPC~1.PRT")) returned 0 [0064.194] FindClose (in: hFindFile=0x10b2e70 | out: hFindFile=0x10b2e70) returned 1 [0064.194] SetErrorMode (uMode=0x0) returned 0x1 [0064.194] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0064.194] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0064.194] CoTaskMemFree (pv=0x10be120) [0064.194] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0064.194] CoCreateGuid (in: pguid=0xf1e810 | out: pguid=0xf1e810*(Data1=0xb6e76425, Data2=0x52ca, Data3=0x4d6d, Data4=([0]=0x8e, [1]=0xa2, [2]=0x3e, [3]=0x87, [4]=0x3e, [5]=0xc5, [6]=0x50, [7]=0x26))) returned 0x0 [0064.195] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0064.195] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0064.195] CoTaskMemFree (pv=0x10bd680) [0064.195] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0064.195] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin", lpFilePart=0x0) returned 0xf [0064.195] SetErrorMode (uMode=0x1) returned 0x0 [0064.195] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*.*", lpFindFileData=0xf1e5a0 | out: lpFindFileData=0xf1e5a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b32f0 [0064.195] FindNextFileW (in: hFindFile=0x10b32f0, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.195] FindNextFileW (in: hFindFile=0x10b32f0, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0064.196] FindNextFileW (in: hFindFile=0x10b32f0, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0064.196] FindNextFileW (in: hFindFile=0x10b32f0, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0064.196] FindClose (in: hFindFile=0x10b32f0 | out: hFindFile=0x10b32f0) returned 1 [0064.196] SetErrorMode (uMode=0x0) returned 0x1 [0064.196] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x27 [0064.196] SetErrorMode (uMode=0x1) returned 0x0 [0064.196] CreateFileW (lpFileName="C:\\$Recycle.Bin\\#DECRYPT MY FILES#.html" (normalized: "c:\\$recycle.bin\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.206] GetFileType (hFile=0x30c) returned 0x1 [0064.206] SetErrorMode (uMode=0x0) returned 0x1 [0064.206] GetFileType (hFile=0x30c) returned 0x1 [0064.206] WriteFile (in: hFile=0x30c, lpBuffer=0x3305c80*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e748, lpOverlapped=0x0 | out: lpBuffer=0x3305c80*, lpNumberOfBytesWritten=0xf1e748*=0x1000, lpOverlapped=0x0) returned 1 [0064.207] WriteFile (in: hFile=0x30c, lpBuffer=0x3305c80*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e748, lpOverlapped=0x0 | out: lpBuffer=0x3305c80*, lpNumberOfBytesWritten=0xf1e748*=0x443, lpOverlapped=0x0) returned 1 [0064.207] CloseHandle (hObject=0x30c) returned 1 [0064.208] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin", lpFilePart=0x0) returned 0xf [0064.211] SetErrorMode (uMode=0x1) returned 0x0 [0064.211] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0xf1e570 | out: lpFindFileData=0xf1e570*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xdc53b82d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3530 [0064.212] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xdc53b82d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.212] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc53b82d, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdc53b82d, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc53b82d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0064.212] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0064.212] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0064.212] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0064.212] FindClose (in: hFindFile=0x10b3530 | out: hFindFile=0x10b3530) returned 1 [0064.212] SetErrorMode (uMode=0x0) returned 0x1 [0064.213] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0064.213] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0064.213] CoTaskMemFree (pv=0x10bc9c0) [0064.213] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0064.213] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x8af581fc, Data2=0x9935, Data3=0x4fda, Data4=([0]=0xa9, [1]=0x88, [2]=0x35, [3]=0xf3, [4]=0xfb, [5]=0x4b, [6]=0x74, [7]=0x2d))) returned 0x0 [0064.213] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0064.213] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0064.213] CoTaskMemFree (pv=0x10be120) [0064.213] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0064.213] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18", lpFilePart=0x0) returned 0x18 [0064.213] SetErrorMode (uMode=0x1) returned 0x0 [0064.213] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3290 [0064.213] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.213] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0064.214] FindNextFileW (in: hFindFile=0x10b3290, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0064.214] FindClose (in: hFindFile=0x10b3290 | out: hFindFile=0x10b3290) returned 1 [0064.214] SetErrorMode (uMode=0x0) returned 0x1 [0064.214] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", lpFilePart=0x0) returned 0x24 [0064.214] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", lpFilePart=0x0) returned 0x24 [0064.214] SetErrorMode (uMode=0x1) returned 0x0 [0064.214] GetFileAttributesExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81)) returned 1 [0064.214] SetErrorMode (uMode=0x0) returned 0x1 [0064.214] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", lpFilePart=0x0) returned 0x24 [0064.214] SetErrorMode (uMode=0x1) returned 0x0 [0064.214] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.214] GetFileType (hFile=0x30c) returned 0x1 [0064.214] SetErrorMode (uMode=0x0) returned 0x1 [0064.214] GetFileType (hFile=0x30c) returned 0x1 [0064.214] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-117, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xc [0064.214] ReadFile (in: hFile=0x30c, lpBuffer=0x3003ee0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x3003ee0*, lpNumberOfBytesRead=0xf1e638*=0x75, lpOverlapped=0x0) returned 1 [0064.215] CloseHandle (hObject=0x30c) returned 1 [0064.215] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", lpFilePart=0x0) returned 0x24 [0064.215] SetErrorMode (uMode=0x1) returned 0x0 [0064.216] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.216] GetFileType (hFile=0x30c) returned 0x1 [0064.216] SetErrorMode (uMode=0x0) returned 0x1 [0064.216] GetFileType (hFile=0x30c) returned 0x1 [0064.216] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x81 [0064.216] SetFilePointer (in: hFile=0x30c, lDistanceToMove=12, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0xc [0064.216] SetEndOfFile (hFile=0x30c) returned 1 [0064.218] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x0 [0064.218] CloseHandle (hObject=0x30c) returned 1 [0064.218] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", lpFilePart=0x0) returned 0x24 [0064.218] SetErrorMode (uMode=0x1) returned 0x0 [0064.218] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.218] GetFileType (hFile=0x30c) returned 0x1 [0064.218] SetErrorMode (uMode=0x0) returned 0x1 [0064.218] GetFileType (hFile=0x30c) returned 0x1 [0064.218] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xc [0064.218] WriteFile (in: hFile=0x30c, lpBuffer=0x3006848*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x3006848*, lpNumberOfBytesWritten=0xf1e5d8*=0xbf, lpOverlapped=0x0) returned 1 [0064.219] CloseHandle (hObject=0x30c) returned 1 [0064.220] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", lpFilePart=0x0) returned 0x24 [0064.220] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x54 [0064.220] SetErrorMode (uMode=0x1) returned 0x0 [0064.220] GetFileAttributesExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xdc561952, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xcb)) returned 1 [0064.220] SetErrorMode (uMode=0x0) returned 0x1 [0064.220] MoveFileW (lpExistingFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), lpNewFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.221] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", lpFilePart=0x0) returned 0x24 [0064.221] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini")) returned 0 [0064.221] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e120, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x30 [0064.221] SetErrorMode (uMode=0x1) returned 0x0 [0064.221] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\#DECRYPT MY FILES#.html" (normalized: "c:\\$recycle.bin\\s-1-5-18\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.222] GetFileType (hFile=0x30c) returned 0x1 [0064.222] SetErrorMode (uMode=0x0) returned 0x1 [0064.222] GetFileType (hFile=0x30c) returned 0x1 [0064.222] WriteFile (in: hFile=0x30c, lpBuffer=0x3009ae0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e688, lpOverlapped=0x0 | out: lpBuffer=0x3009ae0*, lpNumberOfBytesWritten=0xf1e688*=0x1000, lpOverlapped=0x0) returned 1 [0064.223] WriteFile (in: hFile=0x30c, lpBuffer=0x3009ae0*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e688, lpOverlapped=0x0 | out: lpBuffer=0x3009ae0*, lpNumberOfBytesWritten=0xf1e688*=0x443, lpOverlapped=0x0) returned 1 [0064.223] CloseHandle (hObject=0x30c) returned 1 [0064.224] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18", nBufferLength=0x105, lpBuffer=0xf1e310, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-18", lpFilePart=0x0) returned 0x18 [0064.224] SetErrorMode (uMode=0x1) returned 0x0 [0064.224] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xdc561952, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc561952, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b34d0 [0064.224] FindNextFileW (in: hFindFile=0x10b34d0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xdc561952, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc561952, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.224] FindNextFileW (in: hFindFile=0x10b34d0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc561952, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdc561952, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc561952, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0064.224] FindNextFileW (in: hFindFile=0x10b34d0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xdc561952, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="DESKTO~1.PRT")) returned 1 [0064.224] FindNextFileW (in: hFindFile=0x10b34d0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xdc561952, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="DESKTO~1.PRT")) returned 0 [0064.224] FindClose (in: hFindFile=0x10b34d0 | out: hFindFile=0x10b34d0) returned 1 [0064.224] SetErrorMode (uMode=0x0) returned 0x1 [0064.224] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0064.224] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0064.224] CoTaskMemFree (pv=0x10bc9c0) [0064.224] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0064.224] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x71ab12c8, Data2=0xceea, Data3=0x4d0a, Data4=([0]=0xaa, [1]=0xad, [2]=0x1b, [3]=0x87, [4]=0x52, [5]=0xad, [6]=0xf2, [7]=0x16))) returned 0x0 [0064.225] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0064.225] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0064.225] CoTaskMemFree (pv=0x10be120) [0064.225] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0064.225] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000", lpFilePart=0x0) returned 0x3d [0064.225] SetErrorMode (uMode=0x1) returned 0x0 [0064.225] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0064.225] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.225] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0064.225] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0064.225] FindClose (in: hFindFile=0x10b3a10 | out: hFindFile=0x10b3a10) returned 1 [0064.225] SetErrorMode (uMode=0x0) returned 0x1 [0064.225] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", lpFilePart=0x0) returned 0x49 [0064.226] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", lpFilePart=0x0) returned 0x49 [0064.226] SetErrorMode (uMode=0x1) returned 0x0 [0064.226] GetFileAttributesExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81)) returned 1 [0064.226] SetErrorMode (uMode=0x0) returned 0x1 [0064.226] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", lpFilePart=0x0) returned 0x49 [0064.226] SetErrorMode (uMode=0x1) returned 0x0 [0064.226] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.226] GetFileType (hFile=0x30c) returned 0x1 [0064.226] SetErrorMode (uMode=0x0) returned 0x1 [0064.226] GetFileType (hFile=0x30c) returned 0x1 [0064.226] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-117, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xc [0064.226] ReadFile (in: hFile=0x30c, lpBuffer=0x300e888, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x300e888*, lpNumberOfBytesRead=0xf1e638*=0x75, lpOverlapped=0x0) returned 1 [0064.226] CloseHandle (hObject=0x30c) returned 1 [0064.226] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", lpFilePart=0x0) returned 0x49 [0064.226] SetErrorMode (uMode=0x1) returned 0x0 [0064.227] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.227] GetFileType (hFile=0x30c) returned 0x1 [0064.227] SetErrorMode (uMode=0x0) returned 0x1 [0064.227] GetFileType (hFile=0x30c) returned 0x1 [0064.227] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x81 [0064.227] SetFilePointer (in: hFile=0x30c, lDistanceToMove=12, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0xc [0064.227] SetEndOfFile (hFile=0x30c) returned 1 [0064.229] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e7b0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e7b0*=0) returned 0x0 [0064.229] CloseHandle (hObject=0x30c) returned 1 [0064.230] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", lpFilePart=0x0) returned 0x49 [0064.230] SetErrorMode (uMode=0x1) returned 0x0 [0064.230] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.230] GetFileType (hFile=0x30c) returned 0x1 [0064.230] SetErrorMode (uMode=0x0) returned 0x1 [0064.230] GetFileType (hFile=0x30c) returned 0x1 [0064.230] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xc [0064.230] WriteFile (in: hFile=0x30c, lpBuffer=0x3011280*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0xf1e5d8, lpOverlapped=0x0 | out: lpBuffer=0x3011280*, lpNumberOfBytesWritten=0xf1e5d8*=0xbf, lpOverlapped=0x0) returned 1 [0064.231] CloseHandle (hObject=0x30c) returned 1 [0064.232] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", lpFilePart=0x0) returned 0x49 [0064.232] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e3c0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x79 [0064.232] SetErrorMode (uMode=0x1) returned 0x0 [0064.232] GetFileAttributesExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdc587c35, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xcb)) returned 1 [0064.232] SetErrorMode (uMode=0x0) returned 0x1 [0064.232] MoveFileW (lpExistingFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), lpNewFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.260] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini", lpFilePart=0x0) returned 0x49 [0064.260] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 0 [0064.260] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e120, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x55 [0064.260] SetErrorMode (uMode=0x1) returned 0x0 [0064.260] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\#DECRYPT MY FILES#.html" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.262] GetFileType (hFile=0x30c) returned 0x1 [0064.262] SetErrorMode (uMode=0x0) returned 0x1 [0064.262] GetFileType (hFile=0x30c) returned 0x1 [0064.262] WriteFile (in: hFile=0x30c, lpBuffer=0x3014710*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e688, lpOverlapped=0x0 | out: lpBuffer=0x3014710*, lpNumberOfBytesWritten=0xf1e688*=0x1000, lpOverlapped=0x0) returned 1 [0064.263] WriteFile (in: hFile=0x30c, lpBuffer=0x3014710*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e688, lpOverlapped=0x0 | out: lpBuffer=0x3014710*, lpNumberOfBytesWritten=0xf1e688*=0x443, lpOverlapped=0x0) returned 1 [0064.263] CloseHandle (hObject=0x30c) returned 1 [0064.264] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000", nBufferLength=0x105, lpBuffer=0xf1e310, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000", lpFilePart=0x0) returned 0x3d [0064.264] SetErrorMode (uMode=0x1) returned 0x0 [0064.264] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdc5d3e7f, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc5d3e7f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3230 [0064.264] FindNextFileW (in: hFindFile=0x10b3230, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xdc5d3e7f, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc5d3e7f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.264] FindNextFileW (in: hFindFile=0x10b3230, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc5d3e7f, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xdc5d3e7f, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdc5d3e7f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0064.264] FindNextFileW (in: hFindFile=0x10b3230, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdc587c35, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="DESKTO~1.PRT")) returned 1 [0064.264] FindNextFileW (in: hFindFile=0x10b3230, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xdc587c35, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="DESKTO~1.PRT")) returned 0 [0064.264] FindClose (in: hFindFile=0x10b3230 | out: hFindFile=0x10b3230) returned 1 [0064.264] SetErrorMode (uMode=0x0) returned 0x1 [0064.264] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0064.264] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0064.264] CoTaskMemFree (pv=0x10bd680) [0064.264] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0064.264] CoCreateGuid (in: pguid=0xf1e810 | out: pguid=0xf1e810*(Data1=0x1a06df5e, Data2=0xf8bd, Data3=0x4a7f, Data4=([0]=0x8f, [1]=0xc1, [2]=0x1c, [3]=0x5c, [4]=0x49, [5]=0xeb, [6]=0xfc, [7]=0xf2))) returned 0x0 [0064.265] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0064.265] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0064.265] CoTaskMemFree (pv=0x10be120) [0064.265] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0064.265] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212", lpFilePart=0x0) returned 0x15 [0064.265] SetErrorMode (uMode=0x1) returned 0x0 [0064.265] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*.*", lpFindFileData=0xf1e5a0 | out: lpFindFileData=0xf1e5a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3530 [0064.267] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.268] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1025", cAlternateFileName="")) returned 1 [0064.268] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1028", cAlternateFileName="")) returned 1 [0064.268] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1029", cAlternateFileName="")) returned 1 [0064.268] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1030", cAlternateFileName="")) returned 1 [0064.268] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1031", cAlternateFileName="")) returned 1 [0064.268] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1032", cAlternateFileName="")) returned 1 [0064.268] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1035", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1037", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1038", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1040", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1041", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1042", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1043", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1044", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1045", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1046", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1049", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1053", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1055", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2052", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2070", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3076", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x0, dwReserved1=0x0, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x0, dwReserved1=0x0, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Extended", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Graphics", cAlternateFileName="")) returned 1 [0064.269] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0064.270] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0x0, dwReserved1=0x0, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0064.270] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0x0, dwReserved1=0x0, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0064.270] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0064.270] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0064.270] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0064.270] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x0, dwReserved1=0x0, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0x0, dwReserved1=0x0, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x0, dwReserved1=0x0, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x0, dwReserved1=0x0, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0x0, dwReserved1=0x0, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0x0, dwReserved1=0x0, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0064.271] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0064.272] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0064.272] FindNextFileW (in: hFindFile=0x10b3530, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0064.272] FindClose (in: hFindFile=0x10b3530 | out: hFindFile=0x10b3530) returned 1 [0064.272] SetErrorMode (uMode=0x0) returned 0x1 [0064.272] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DHtmlHeader.html", lpFilePart=0x0) returned 0x26 [0064.272] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DHtmlHeader.html", lpFilePart=0x0) returned 0x26 [0064.273] SetErrorMode (uMode=0x1) returned 0x0 [0064.273] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6)) returned 1 [0064.276] SetErrorMode (uMode=0x0) returned 0x1 [0064.276] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DHtmlHeader.html", lpFilePart=0x0) returned 0x26 [0064.277] SetErrorMode (uMode=0x1) returned 0x0 [0064.277] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.277] GetFileType (hFile=0x30c) returned 0x1 [0064.277] SetErrorMode (uMode=0x0) returned 0x1 [0064.277] GetFileType (hFile=0x30c) returned 0x1 [0064.277] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-16029, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x59 [0064.277] ReadFile (in: hFile=0x30c, lpBuffer=0x301b1b8, nNumberOfBytesToRead=0x3e9d, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x301b1b8*, lpNumberOfBytesRead=0xf1e6f8*=0x3e9d, lpOverlapped=0x0) returned 1 [0064.279] CloseHandle (hObject=0x30c) returned 1 [0064.279] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DHtmlHeader.html", lpFilePart=0x0) returned 0x26 [0064.279] SetErrorMode (uMode=0x1) returned 0x0 [0064.279] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.279] GetFileType (hFile=0x30c) returned 0x1 [0064.279] SetErrorMode (uMode=0x0) returned 0x1 [0064.279] GetFileType (hFile=0x30c) returned 0x1 [0064.279] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x3ef6 [0064.279] SetFilePointer (in: hFile=0x30c, lDistanceToMove=89, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x59 [0064.279] SetEndOfFile (hFile=0x30c) returned 1 [0064.282] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0064.282] CloseHandle (hObject=0x30c) returned 1 [0064.284] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DHtmlHeader.html", lpFilePart=0x0) returned 0x26 [0064.284] SetErrorMode (uMode=0x1) returned 0x0 [0064.285] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.285] GetFileType (hFile=0x30c) returned 0x1 [0064.285] SetErrorMode (uMode=0x0) returned 0x1 [0064.285] GetFileType (hFile=0x30c) returned 0x1 [0064.285] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x59 [0064.285] WriteFile (in: hFile=0x30c, lpBuffer=0x305b9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x305b9f0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.286] WriteFile (in: hFile=0x30c, lpBuffer=0x305b9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x305b9f0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.286] WriteFile (in: hFile=0x30c, lpBuffer=0x305b9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x305b9f0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.286] WriteFile (in: hFile=0x30c, lpBuffer=0x305b9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x305b9f0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.286] WriteFile (in: hFile=0x30c, lpBuffer=0x305b9f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x305b9f0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.287] WriteFile (in: hFile=0x30c, lpBuffer=0x305b9f0*, nNumberOfBytesToWrite=0xb6b, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x305b9f0*, lpNumberOfBytesWritten=0xf1e698*=0xb6b, lpOverlapped=0x0) returned 1 [0064.287] CloseHandle (hObject=0x30c) returned 1 [0064.288] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DHtmlHeader.html", lpFilePart=0x0) returned 0x26 [0064.288] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DHtmlHeader.html[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x56 [0064.288] SetErrorMode (uMode=0x1) returned 0x0 [0064.288] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xdc5fa0e0, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x5bc4)) returned 1 [0064.288] SetErrorMode (uMode=0x0) returned 0x1 [0064.288] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), lpNewFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.289] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DHtmlHeader.html", lpFilePart=0x0) returned 0x26 [0064.289] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html")) returned 0 [0064.289] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DisplayIcon.ico", lpFilePart=0x0) returned 0x25 [0064.289] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DisplayIcon.ico", lpFilePart=0x0) returned 0x25 [0064.289] SetErrorMode (uMode=0x1) returned 0x0 [0064.289] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5)) returned 1 [0064.291] SetErrorMode (uMode=0x0) returned 0x1 [0064.291] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DisplayIcon.ico", lpFilePart=0x0) returned 0x25 [0064.291] SetErrorMode (uMode=0x1) returned 0x0 [0064.291] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.291] GetFileType (hFile=0x30c) returned 0x1 [0064.291] SetErrorMode (uMode=0x0) returned 0x1 [0064.291] GetFileType (hFile=0x30c) returned 0x1 [0064.292] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x5fd6 [0064.292] ReadFile (in: hFile=0x30c, lpBuffer=0x305d948, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x305d948*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0064.294] CloseHandle (hObject=0x30c) returned 1 [0064.294] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DisplayIcon.ico", lpFilePart=0x0) returned 0x25 [0064.294] SetErrorMode (uMode=0x1) returned 0x0 [0064.294] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.294] GetFileType (hFile=0x30c) returned 0x1 [0064.294] SetErrorMode (uMode=0x0) returned 0x1 [0064.294] GetFileType (hFile=0x30c) returned 0x1 [0064.294] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x159d5 [0064.294] SetFilePointer (in: hFile=0x30c, lDistanceToMove=24534, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x5fd6 [0064.294] SetEndOfFile (hFile=0x30c) returned 1 [0064.297] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0064.297] CloseHandle (hObject=0x30c) returned 1 [0064.344] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DisplayIcon.ico", lpFilePart=0x0) returned 0x25 [0064.344] SetErrorMode (uMode=0x1) returned 0x0 [0064.344] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.344] GetFileType (hFile=0x30c) returned 0x1 [0064.344] SetErrorMode (uMode=0x0) returned 0x1 [0064.345] GetFileType (hFile=0x30c) returned 0x1 [0064.345] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x5fd6 [0064.345] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.346] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.346] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.346] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.346] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.347] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.347] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.347] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.347] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.347] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.347] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.348] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.348] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.348] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.348] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.348] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.348] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.349] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.349] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.349] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.349] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.349] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.349] WriteFile (in: hFile=0x30c, lpBuffer=0x30df9e0*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30df9e0*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0064.349] CloseHandle (hObject=0x30c) returned 1 [0064.358] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DisplayIcon.ico", lpFilePart=0x0) returned 0x25 [0064.358] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DisplayIcon.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x55 [0064.358] SetErrorMode (uMode=0x1) returned 0x0 [0064.358] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xdc6b8e18, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1cc95)) returned 1 [0064.358] SetErrorMode (uMode=0x0) returned 0x1 [0064.358] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), lpNewFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.359] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\DisplayIcon.ico", lpFilePart=0x0) returned 0x25 [0064.359] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico")) returned 0 [0064.359] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\header.bmp", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\header.bmp", lpFilePart=0x0) returned 0x20 [0064.359] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\header.bmp", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\header.bmp", lpFilePart=0x0) returned 0x20 [0064.359] SetErrorMode (uMode=0x1) returned 0x0 [0064.359] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c)) returned 1 [0064.360] SetErrorMode (uMode=0x0) returned 0x1 [0064.360] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\header.bmp", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\header.bmp", lpFilePart=0x0) returned 0x20 [0064.360] SetErrorMode (uMode=0x1) returned 0x0 [0064.360] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.360] GetFileType (hFile=0x30c) returned 0x1 [0064.360] SetErrorMode (uMode=0x0) returned 0x1 [0064.360] GetFileType (hFile=0x30c) returned 0x1 [0064.360] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3627, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1 [0064.360] ReadFile (in: hFile=0x30c, lpBuffer=0x30e2a70, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x30e2a70*, lpNumberOfBytesRead=0xf1e6f8*=0xe2b, lpOverlapped=0x0) returned 1 [0064.362] CloseHandle (hObject=0x30c) returned 1 [0064.362] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\header.bmp", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\header.bmp", lpFilePart=0x0) returned 0x20 [0064.362] SetErrorMode (uMode=0x1) returned 0x0 [0064.362] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.362] GetFileType (hFile=0x30c) returned 0x1 [0064.362] SetErrorMode (uMode=0x0) returned 0x1 [0064.362] GetFileType (hFile=0x30c) returned 0x1 [0064.363] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0xe2c [0064.363] SetFilePointer (in: hFile=0x30c, lDistanceToMove=1, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1 [0064.363] SetEndOfFile (hFile=0x30c) returned 1 [0064.365] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0064.365] CloseHandle (hObject=0x30c) returned 1 [0064.365] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\header.bmp", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\header.bmp", lpFilePart=0x0) returned 0x20 [0064.365] SetErrorMode (uMode=0x1) returned 0x0 [0064.365] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.366] GetFileType (hFile=0x30c) returned 0x1 [0064.366] SetErrorMode (uMode=0x0) returned 0x1 [0064.366] GetFileType (hFile=0x30c) returned 0x1 [0064.366] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1 [0064.366] WriteFile (in: hFile=0x30c, lpBuffer=0x30f08e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30f08e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.367] WriteFile (in: hFile=0x30c, lpBuffer=0x30f08e0*, nNumberOfBytesToWrite=0x4bf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30f08e0*, lpNumberOfBytesWritten=0xf1e698*=0x4bf, lpOverlapped=0x0) returned 1 [0064.367] CloseHandle (hObject=0x30c) returned 1 [0064.367] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\header.bmp", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\header.bmp", lpFilePart=0x0) returned 0x20 [0064.368] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\header.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\header.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x50 [0064.368] SetErrorMode (uMode=0x1) returned 0x0 [0064.368] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0xdc6b8e18, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x14c0)) returned 1 [0064.368] SetErrorMode (uMode=0x0) returned 0x1 [0064.368] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\header.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\header.bmp[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.371] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\header.bmp", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\header.bmp", lpFilePart=0x0) returned 0x20 [0064.371] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp")) returned 0 [0064.371] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core.mzz", lpFilePart=0x0) returned 0x24 [0064.371] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core.mzz", lpFilePart=0x0) returned 0x24 [0064.371] SetErrorMode (uMode=0x1) returned 0x0 [0064.371] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b)) returned 1 [0064.371] SetErrorMode (uMode=0x0) returned 0x1 [0064.371] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core.mzz", lpFilePart=0x0) returned 0x24 [0064.371] SetErrorMode (uMode=0x1) returned 0x0 [0064.372] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.372] GetFileType (hFile=0x30c) returned 0x1 [0064.372] SetErrorMode (uMode=0x0) returned 0x1 [0064.372] GetFileType (hFile=0x30c) returned 0x1 [0064.372] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xad03e4c [0064.372] ReadFile (in: hFile=0x30c, lpBuffer=0x30f2818, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x30f2818*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0064.380] CloseHandle (hObject=0x30c) returned 1 [0064.380] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core.mzz", lpFilePart=0x0) returned 0x24 [0064.380] SetErrorMode (uMode=0x1) returned 0x0 [0064.380] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.380] GetFileType (hFile=0x30c) returned 0x1 [0064.380] SetErrorMode (uMode=0x0) returned 0x1 [0064.380] GetFileType (hFile=0x30c) returned 0x1 [0064.380] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0xad1384b [0064.380] SetFilePointer (in: hFile=0x30c, lDistanceToMove=181419596, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0xad03e4c [0064.380] SetEndOfFile (hFile=0x30c) returned 1 [0064.383] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0064.383] CloseHandle (hObject=0x30c) returned 1 [0064.447] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core.mzz", lpFilePart=0x0) returned 0x24 [0064.447] SetErrorMode (uMode=0x1) returned 0x0 [0064.447] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.448] GetFileType (hFile=0x30c) returned 0x1 [0064.448] SetErrorMode (uMode=0x0) returned 0x1 [0064.448] GetFileType (hFile=0x30c) returned 0x1 [0064.448] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0xad03e4c [0064.448] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.449] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.449] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.449] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.449] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.449] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.450] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.450] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.450] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.450] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.450] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.450] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.451] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.451] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.451] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.451] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.451] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.451] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.452] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.452] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.452] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.452] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.452] WriteFile (in: hFile=0x30c, lpBuffer=0x317cbc8*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x317cbc8*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0064.452] CloseHandle (hObject=0x30c) returned 1 [0064.941] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core.mzz", lpFilePart=0x0) returned 0x24 [0064.941] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core.mzz[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x54 [0064.942] SetErrorMode (uMode=0x1) returned 0x0 [0064.942] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xdcc510f1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xad1ab0b)) returned 1 [0064.942] SetErrorMode (uMode=0x0) returned 0x1 [0064.942] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0064.942] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core.mzz", lpFilePart=0x0) returned 0x24 [0064.942] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz")) returned 0 [0064.942] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", lpFilePart=0x0) returned 0x28 [0064.943] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", lpFilePart=0x0) returned 0x28 [0064.943] SetErrorMode (uMode=0x1) returned 0x0 [0064.943] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200)) returned 1 [0064.944] SetErrorMode (uMode=0x0) returned 0x1 [0064.944] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", lpFilePart=0x0) returned 0x28 [0064.944] SetErrorMode (uMode=0x1) returned 0x0 [0064.944] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.944] GetFileType (hFile=0x30c) returned 0x1 [0064.944] SetErrorMode (uMode=0x0) returned 0x1 [0064.944] GetFileType (hFile=0x30c) returned 0x1 [0064.944] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1c0801 [0064.944] ReadFile (in: hFile=0x30c, lpBuffer=0x317eb38, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x317eb38*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0064.947] CloseHandle (hObject=0x30c) returned 1 [0064.947] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", lpFilePart=0x0) returned 0x28 [0064.947] SetErrorMode (uMode=0x1) returned 0x0 [0064.947] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0064.947] GetFileType (hFile=0x30c) returned 0x1 [0064.947] SetErrorMode (uMode=0x0) returned 0x1 [0064.947] GetFileType (hFile=0x30c) returned 0x1 [0064.947] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x1d0200 [0064.947] SetFilePointer (in: hFile=0x30c, lDistanceToMove=1837057, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1c0801 [0064.947] SetEndOfFile (hFile=0x30c) returned 1 [0064.950] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0064.950] CloseHandle (hObject=0x30c) returned 1 [0064.995] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", lpFilePart=0x0) returned 0x28 [0064.996] SetErrorMode (uMode=0x1) returned 0x0 [0064.996] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0064.996] GetFileType (hFile=0x30c) returned 0x1 [0064.996] SetErrorMode (uMode=0x0) returned 0x1 [0064.996] GetFileType (hFile=0x30c) returned 0x1 [0064.996] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1c0801 [0064.996] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.997] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.997] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.997] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.997] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.998] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.998] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.998] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.998] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.998] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.998] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.999] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.999] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.999] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.999] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.999] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0064.999] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.000] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.000] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.000] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.000] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.000] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.000] WriteFile (in: hFile=0x30c, lpBuffer=0x3013b20*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3013b20*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0065.000] CloseHandle (hObject=0x30c) returned 1 [0065.074] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", lpFilePart=0x0) returned 0x28 [0065.074] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x64.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x58 [0065.074] SetErrorMode (uMode=0x1) returned 0x0 [0065.074] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xdcd99201, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1d74c0)) returned 1 [0065.075] SetErrorMode (uMode=0x0) returned 0x1 [0065.075] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0065.075] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", lpFilePart=0x0) returned 0x28 [0065.075] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi")) returned 0 [0065.075] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", lpFilePart=0x0) returned 0x28 [0065.075] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", lpFilePart=0x0) returned 0x28 [0065.075] SetErrorMode (uMode=0x1) returned 0x0 [0065.075] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000)) returned 1 [0065.076] SetErrorMode (uMode=0x0) returned 0x1 [0065.076] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", lpFilePart=0x0) returned 0x28 [0065.076] SetErrorMode (uMode=0x1) returned 0x0 [0065.076] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0065.076] GetFileType (hFile=0x30c) returned 0x1 [0065.076] SetErrorMode (uMode=0x0) returned 0x1 [0065.077] GetFileType (hFile=0x30c) returned 0x1 [0065.077] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x10c601 [0065.077] ReadFile (in: hFile=0x30c, lpBuffer=0x3017858, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3017858*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0065.082] CloseHandle (hObject=0x30c) returned 1 [0065.082] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", lpFilePart=0x0) returned 0x28 [0065.082] SetErrorMode (uMode=0x1) returned 0x0 [0065.082] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0065.082] GetFileType (hFile=0x30c) returned 0x1 [0065.082] SetErrorMode (uMode=0x0) returned 0x1 [0065.082] GetFileType (hFile=0x30c) returned 0x1 [0065.082] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11c000 [0065.082] SetFilePointer (in: hFile=0x30c, lDistanceToMove=1099265, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x10c601 [0065.082] SetEndOfFile (hFile=0x30c) returned 1 [0065.085] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0065.085] CloseHandle (hObject=0x30c) returned 1 [0065.102] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", lpFilePart=0x0) returned 0x28 [0065.102] SetErrorMode (uMode=0x1) returned 0x0 [0065.102] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0065.102] GetFileType (hFile=0x30c) returned 0x1 [0065.102] SetErrorMode (uMode=0x0) returned 0x1 [0065.102] GetFileType (hFile=0x30c) returned 0x1 [0065.102] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x10c601 [0065.102] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.112] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.113] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.113] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.113] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.113] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.113] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.113] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.114] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.114] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.114] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.114] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.114] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.114] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.115] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.115] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.115] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.115] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.115] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.115] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.116] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.116] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.116] WriteFile (in: hFile=0x30c, lpBuffer=0x3099920*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099920*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0065.116] CloseHandle (hObject=0x30c) returned 1 [0065.146] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", lpFilePart=0x0) returned 0x28 [0065.147] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x86.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x58 [0065.147] SetErrorMode (uMode=0x1) returned 0x0 [0065.147] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0xdce2c4dc, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1232c0)) returned 1 [0065.147] SetErrorMode (uMode=0x0) returned 0x1 [0065.147] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0065.147] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", lpFilePart=0x0) returned 0x28 [0065.147] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi")) returned 0 [0065.148] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended.mzz", lpFilePart=0x0) returned 0x28 [0065.148] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended.mzz", lpFilePart=0x0) returned 0x28 [0065.148] SetErrorMode (uMode=0x1) returned 0x0 [0065.148] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7)) returned 1 [0065.148] SetErrorMode (uMode=0x0) returned 0x1 [0065.148] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended.mzz", lpFilePart=0x0) returned 0x28 [0065.148] SetErrorMode (uMode=0x1) returned 0x0 [0065.148] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0065.148] GetFileType (hFile=0x30c) returned 0x1 [0065.148] SetErrorMode (uMode=0x0) returned 0x1 [0065.148] GetFileType (hFile=0x30c) returned 0x1 [0065.148] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x29128c8 [0065.148] ReadFile (in: hFile=0x30c, lpBuffer=0x309b8b0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x309b8b0*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0065.162] CloseHandle (hObject=0x30c) returned 1 [0065.162] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended.mzz", lpFilePart=0x0) returned 0x28 [0065.162] SetErrorMode (uMode=0x1) returned 0x0 [0065.162] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0065.163] GetFileType (hFile=0x30c) returned 0x1 [0065.163] SetErrorMode (uMode=0x0) returned 0x1 [0065.163] GetFileType (hFile=0x30c) returned 0x1 [0065.163] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x29222c7 [0065.163] SetFilePointer (in: hFile=0x30c, lDistanceToMove=43067592, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x29128c8 [0065.163] SetEndOfFile (hFile=0x30c) returned 1 [0065.167] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0065.167] CloseHandle (hObject=0x30c) returned 1 [0065.186] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended.mzz", lpFilePart=0x0) returned 0x28 [0065.186] SetErrorMode (uMode=0x1) returned 0x0 [0065.186] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0065.186] GetFileType (hFile=0x30c) returned 0x1 [0065.186] SetErrorMode (uMode=0x0) returned 0x1 [0065.186] GetFileType (hFile=0x30c) returned 0x1 [0065.186] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x29128c8 [0065.186] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.635] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.635] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.635] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.635] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.636] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.636] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.636] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.636] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.636] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.637] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.637] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.637] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.637] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.637] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.637] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.638] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.638] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.638] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.638] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.638] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.638] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0065.639] WriteFile (in: hFile=0x30c, lpBuffer=0x311d978*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311d978*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0065.639] CloseHandle (hObject=0x30c) returned 1 [0066.073] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended.mzz", lpFilePart=0x0) returned 0x28 [0066.073] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended.mzz[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x58 [0066.073] SetErrorMode (uMode=0x1) returned 0x0 [0066.073] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xdd71d331, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2929587)) returned 1 [0066.073] SetErrorMode (uMode=0x0) returned 0x1 [0066.073] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.074] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended.mzz", lpFilePart=0x0) returned 0x28 [0066.074] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz")) returned 0 [0066.074] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", lpFilePart=0x0) returned 0x2c [0066.074] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", lpFilePart=0x0) returned 0x2c [0066.074] SetErrorMode (uMode=0x1) returned 0x0 [0066.075] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000)) returned 1 [0066.075] SetErrorMode (uMode=0x0) returned 0x1 [0066.075] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", lpFilePart=0x0) returned 0x2c [0066.075] SetErrorMode (uMode=0x1) returned 0x0 [0066.076] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.076] GetFileType (hFile=0x30c) returned 0x1 [0066.076] SetErrorMode (uMode=0x0) returned 0x1 [0066.076] GetFileType (hFile=0x30c) returned 0x1 [0066.076] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xc5601 [0066.076] ReadFile (in: hFile=0x30c, lpBuffer=0x311f920, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x311f920*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0066.079] CloseHandle (hObject=0x30c) returned 1 [0066.079] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", lpFilePart=0x0) returned 0x2c [0066.079] SetErrorMode (uMode=0x1) returned 0x0 [0066.079] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.079] GetFileType (hFile=0x30c) returned 0x1 [0066.079] SetErrorMode (uMode=0x0) returned 0x1 [0066.079] GetFileType (hFile=0x30c) returned 0x1 [0066.079] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0xd5000 [0066.079] SetFilePointer (in: hFile=0x30c, lDistanceToMove=808449, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0xc5601 [0066.079] SetEndOfFile (hFile=0x30c) returned 1 [0066.082] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.082] CloseHandle (hObject=0x30c) returned 1 [0066.101] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", lpFilePart=0x0) returned 0x2c [0066.101] SetErrorMode (uMode=0x1) returned 0x0 [0066.101] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.101] GetFileType (hFile=0x30c) returned 0x1 [0066.101] SetErrorMode (uMode=0x0) returned 0x1 [0066.101] GetFileType (hFile=0x30c) returned 0x1 [0066.101] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0xc5601 [0066.101] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.102] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.102] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.102] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.102] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.103] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.104] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.104] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.104] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.104] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.104] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.104] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.105] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.105] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.105] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.105] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.105] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.105] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.106] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.106] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.106] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.106] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.106] WriteFile (in: hFile=0x30c, lpBuffer=0x31a2668*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a2668*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0066.106] CloseHandle (hObject=0x30c) returned 1 [0066.146] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", lpFilePart=0x0) returned 0x2c [0066.146] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x5c [0066.146] SetErrorMode (uMode=0x1) returned 0x0 [0066.146] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0xdd7b5c41, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xdc2c0)) returned 1 [0066.146] SetErrorMode (uMode=0x0) returned 0x1 [0066.147] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.147] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", lpFilePart=0x0) returned 0x2c [0066.147] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi")) returned 0 [0066.147] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", lpFilePart=0x0) returned 0x2c [0066.147] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", lpFilePart=0x0) returned 0x2c [0066.147] SetErrorMode (uMode=0x1) returned 0x0 [0066.147] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000)) returned 1 [0066.148] SetErrorMode (uMode=0x0) returned 0x1 [0066.148] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", lpFilePart=0x0) returned 0x2c [0066.148] SetErrorMode (uMode=0x1) returned 0x0 [0066.148] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.148] GetFileType (hFile=0x30c) returned 0x1 [0066.148] SetErrorMode (uMode=0x0) returned 0x1 [0066.148] GetFileType (hFile=0x30c) returned 0x1 [0066.148] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x69601 [0066.148] ReadFile (in: hFile=0x30c, lpBuffer=0x31a4630, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x31a4630*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0066.151] CloseHandle (hObject=0x30c) returned 1 [0066.151] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", lpFilePart=0x0) returned 0x2c [0066.151] SetErrorMode (uMode=0x1) returned 0x0 [0066.151] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.151] GetFileType (hFile=0x30c) returned 0x1 [0066.151] SetErrorMode (uMode=0x0) returned 0x1 [0066.151] GetFileType (hFile=0x30c) returned 0x1 [0066.151] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x79000 [0066.151] SetFilePointer (in: hFile=0x30c, lDistanceToMove=431617, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x69601 [0066.151] SetEndOfFile (hFile=0x30c) returned 1 [0066.154] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.154] CloseHandle (hObject=0x30c) returned 1 [0066.185] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", lpFilePart=0x0) returned 0x2c [0066.185] SetErrorMode (uMode=0x1) returned 0x0 [0066.185] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.185] GetFileType (hFile=0x30c) returned 0x1 [0066.185] SetErrorMode (uMode=0x0) returned 0x1 [0066.185] GetFileType (hFile=0x30c) returned 0x1 [0066.185] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x69601 [0066.185] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.186] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.186] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.187] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.187] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.187] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.187] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.187] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.187] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.188] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.188] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.188] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.188] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.188] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.188] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.189] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.189] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.189] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.189] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.189] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.189] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.189] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.190] WriteFile (in: hFile=0x30c, lpBuffer=0x304d888*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x304d888*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0066.191] CloseHandle (hObject=0x30c) returned 1 [0066.204] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", lpFilePart=0x0) returned 0x2c [0066.204] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x5c [0066.204] SetErrorMode (uMode=0x1) returned 0x0 [0066.204] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0xdd84e335, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x802c0)) returned 1 [0066.205] SetErrorMode (uMode=0x0) returned 0x1 [0066.205] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.205] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", lpFilePart=0x0) returned 0x2c [0066.205] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi")) returned 0 [0066.205] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\ParameterInfo.xml", lpFilePart=0x0) returned 0x27 [0066.205] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\ParameterInfo.xml", lpFilePart=0x0) returned 0x27 [0066.205] SetErrorMode (uMode=0x1) returned 0x0 [0066.205] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae)) returned 1 [0066.206] SetErrorMode (uMode=0x0) returned 0x1 [0066.206] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\ParameterInfo.xml", lpFilePart=0x0) returned 0x27 [0066.206] SetErrorMode (uMode=0x1) returned 0x0 [0066.206] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.206] GetFileType (hFile=0x30c) returned 0x1 [0066.206] SetErrorMode (uMode=0x0) returned 0x1 [0066.207] GetFileType (hFile=0x30c) returned 0x1 [0066.207] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x32caf [0066.207] ReadFile (in: hFile=0x30c, lpBuffer=0x304f828, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x304f828*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0066.209] CloseHandle (hObject=0x30c) returned 1 [0066.209] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\ParameterInfo.xml", lpFilePart=0x0) returned 0x27 [0066.209] SetErrorMode (uMode=0x1) returned 0x0 [0066.210] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.210] GetFileType (hFile=0x30c) returned 0x1 [0066.210] SetErrorMode (uMode=0x0) returned 0x1 [0066.210] GetFileType (hFile=0x30c) returned 0x1 [0066.210] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x426ae [0066.210] SetFilePointer (in: hFile=0x30c, lDistanceToMove=208047, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x32caf [0066.210] SetEndOfFile (hFile=0x30c) returned 1 [0066.217] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.217] CloseHandle (hObject=0x30c) returned 1 [0066.236] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\ParameterInfo.xml", lpFilePart=0x0) returned 0x27 [0066.236] SetErrorMode (uMode=0x1) returned 0x0 [0066.236] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.236] GetFileType (hFile=0x30c) returned 0x1 [0066.236] SetErrorMode (uMode=0x0) returned 0x1 [0066.236] GetFileType (hFile=0x30c) returned 0x1 [0066.236] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x32caf [0066.236] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.237] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.237] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.238] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.238] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.238] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.238] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.238] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.238] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.239] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.239] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.239] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.239] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.239] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.240] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.240] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.240] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.241] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.241] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.241] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.241] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.241] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.241] WriteFile (in: hFile=0x30c, lpBuffer=0x30d18d8*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30d18d8*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0066.241] CloseHandle (hObject=0x30c) returned 1 [0066.249] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\ParameterInfo.xml", lpFilePart=0x0) returned 0x27 [0066.249] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\ParameterInfo.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x57 [0066.249] SetErrorMode (uMode=0x1) returned 0x0 [0066.249] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdd8c0c0e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x4996e)) returned 1 [0066.249] SetErrorMode (uMode=0x0) returned 0x1 [0066.249] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.250] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\ParameterInfo.xml", lpFilePart=0x0) returned 0x27 [0066.250] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml")) returned 0 [0066.250] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", lpFilePart=0x0) returned 0x26 [0066.250] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", lpFilePart=0x0) returned 0x26 [0066.250] SetErrorMode (uMode=0x1) returned 0x0 [0066.250] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200)) returned 1 [0066.250] SetErrorMode (uMode=0x0) returned 0x1 [0066.250] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", lpFilePart=0x0) returned 0x26 [0066.251] SetErrorMode (uMode=0x1) returned 0x0 [0066.251] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.251] GetFileType (hFile=0x30c) returned 0x1 [0066.251] SetErrorMode (uMode=0x0) returned 0x1 [0066.251] GetFileType (hFile=0x30c) returned 0x1 [0066.251] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1d801 [0066.251] ReadFile (in: hFile=0x30c, lpBuffer=0x30d3838, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x30d3838*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0066.265] CloseHandle (hObject=0x30c) returned 1 [0066.265] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", lpFilePart=0x0) returned 0x26 [0066.265] SetErrorMode (uMode=0x1) returned 0x0 [0066.265] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.266] GetFileType (hFile=0x30c) returned 0x1 [0066.266] SetErrorMode (uMode=0x0) returned 0x1 [0066.266] GetFileType (hFile=0x30c) returned 0x1 [0066.266] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x2d200 [0066.266] SetFilePointer (in: hFile=0x30c, lDistanceToMove=120833, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1d801 [0066.266] SetEndOfFile (hFile=0x30c) returned 1 [0066.268] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.268] CloseHandle (hObject=0x30c) returned 1 [0066.298] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", lpFilePart=0x0) returned 0x26 [0066.298] SetErrorMode (uMode=0x1) returned 0x0 [0066.298] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.298] GetFileType (hFile=0x30c) returned 0x1 [0066.298] SetErrorMode (uMode=0x0) returned 0x1 [0066.298] GetFileType (hFile=0x30c) returned 0x1 [0066.298] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1d801 [0066.299] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.299] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.300] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.300] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.300] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.300] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.300] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.300] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.301] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.301] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.301] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.301] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.301] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.301] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.302] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.302] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.302] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.302] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.302] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.302] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.302] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.303] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.303] WriteFile (in: hFile=0x30c, lpBuffer=0x3001110*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3001110*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0066.303] CloseHandle (hObject=0x30c) returned 1 [0066.317] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", lpFilePart=0x0) returned 0x26 [0066.317] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x56 [0066.317] SetErrorMode (uMode=0x1) returned 0x0 [0066.318] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0xdd9592be, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x344c0)) returned 1 [0066.318] SetErrorMode (uMode=0x0) returned 0x1 [0066.318] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), lpNewFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.318] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", lpFilePart=0x0) returned 0x26 [0066.318] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi")) returned 0 [0066.318] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", lpFilePart=0x0) returned 0x26 [0066.318] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", lpFilePart=0x0) returned 0x26 [0066.318] SetErrorMode (uMode=0x1) returned 0x0 [0066.319] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200)) returned 1 [0066.319] SetErrorMode (uMode=0x0) returned 0x1 [0066.319] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", lpFilePart=0x0) returned 0x26 [0066.319] SetErrorMode (uMode=0x1) returned 0x0 [0066.319] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.319] GetFileType (hFile=0x30c) returned 0x1 [0066.319] SetErrorMode (uMode=0x0) returned 0x1 [0066.319] GetFileType (hFile=0x30c) returned 0x1 [0066.319] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x7801 [0066.319] ReadFile (in: hFile=0x30c, lpBuffer=0x3003070, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3003070*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0066.324] CloseHandle (hObject=0x30c) returned 1 [0066.324] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", lpFilePart=0x0) returned 0x26 [0066.324] SetErrorMode (uMode=0x1) returned 0x0 [0066.324] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.324] GetFileType (hFile=0x30c) returned 0x1 [0066.324] SetErrorMode (uMode=0x0) returned 0x1 [0066.324] GetFileType (hFile=0x30c) returned 0x1 [0066.324] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x17200 [0066.325] SetFilePointer (in: hFile=0x30c, lDistanceToMove=30721, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x7801 [0066.325] SetEndOfFile (hFile=0x30c) returned 1 [0066.327] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.327] CloseHandle (hObject=0x30c) returned 1 [0066.356] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", lpFilePart=0x0) returned 0x26 [0066.356] SetErrorMode (uMode=0x1) returned 0x0 [0066.356] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.357] GetFileType (hFile=0x30c) returned 0x1 [0066.357] SetErrorMode (uMode=0x0) returned 0x1 [0066.357] GetFileType (hFile=0x30c) returned 0x1 [0066.357] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x7801 [0066.357] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.358] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.358] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.358] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.358] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.358] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.359] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.359] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.359] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.359] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.359] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.359] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.360] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.360] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.360] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.360] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.360] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.360] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.361] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.361] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.361] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.361] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.361] WriteFile (in: hFile=0x30c, lpBuffer=0x30851a0*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30851a0*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0066.361] CloseHandle (hObject=0x30c) returned 1 [0066.374] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", lpFilePart=0x0) returned 0x26 [0066.374] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x56 [0066.374] SetErrorMode (uMode=0x1) returned 0x0 [0066.374] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0xdd9f1e56, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1e4c0)) returned 1 [0066.374] SetErrorMode (uMode=0x0) returned 0x1 [0066.374] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), lpNewFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.375] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", lpFilePart=0x0) returned 0x26 [0066.375] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi")) returned 0 [0066.375] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Setup.exe", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Setup.exe", lpFilePart=0x0) returned 0x1f [0066.375] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Setup.exe", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Setup.exe", lpFilePart=0x0) returned 0x1f [0066.375] SetErrorMode (uMode=0x1) returned 0x0 [0066.375] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148)) returned 1 [0066.376] SetErrorMode (uMode=0x0) returned 0x1 [0066.376] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Setup.exe", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Setup.exe", lpFilePart=0x0) returned 0x1f [0066.376] SetErrorMode (uMode=0x1) returned 0x0 [0066.376] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.376] GetFileType (hFile=0x30c) returned 0x1 [0066.376] SetErrorMode (uMode=0x0) returned 0x1 [0066.376] GetFileType (hFile=0x30c) returned 0x1 [0066.376] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x3749 [0066.376] ReadFile (in: hFile=0x30c, lpBuffer=0x30870d0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x30870d0*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0066.379] CloseHandle (hObject=0x30c) returned 1 [0066.379] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Setup.exe", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Setup.exe", lpFilePart=0x0) returned 0x1f [0066.379] SetErrorMode (uMode=0x1) returned 0x0 [0066.379] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.379] GetFileType (hFile=0x30c) returned 0x1 [0066.379] SetErrorMode (uMode=0x0) returned 0x1 [0066.379] GetFileType (hFile=0x30c) returned 0x1 [0066.379] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x13148 [0066.379] SetFilePointer (in: hFile=0x30c, lDistanceToMove=14153, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x3749 [0066.379] SetEndOfFile (hFile=0x30c) returned 1 [0066.381] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.381] CloseHandle (hObject=0x30c) returned 1 [0066.403] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Setup.exe", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Setup.exe", lpFilePart=0x0) returned 0x1f [0066.403] SetErrorMode (uMode=0x1) returned 0x0 [0066.403] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.403] GetFileType (hFile=0x30c) returned 0x1 [0066.403] SetErrorMode (uMode=0x0) returned 0x1 [0066.404] GetFileType (hFile=0x30c) returned 0x1 [0066.404] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x3749 [0066.404] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.405] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.405] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.405] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.405] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.406] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.406] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.406] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.406] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.406] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.406] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.407] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.407] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.407] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.407] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.407] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.407] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.408] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.408] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.408] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.408] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.408] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.408] WriteFile (in: hFile=0x30c, lpBuffer=0x310b2d0*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x310b2d0*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0066.408] CloseHandle (hObject=0x30c) returned 1 [0066.428] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Setup.exe", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Setup.exe", lpFilePart=0x0) returned 0x1f [0066.428] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Setup.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Setup.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x4f [0066.428] SetErrorMode (uMode=0x1) returned 0x0 [0066.429] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdda646fa, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1a408)) returned 1 [0066.429] SetErrorMode (uMode=0x0) returned 0x1 [0066.429] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), lpNewFileName="C:\\588bce7c90097ed212\\Setup.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\setup.exe[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.429] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Setup.exe", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Setup.exe", lpFilePart=0x0) returned 0x1f [0066.429] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe")) returned 0 [0066.429] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupEngine.dll", lpFilePart=0x0) returned 0x25 [0066.429] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupEngine.dll", lpFilePart=0x0) returned 0x25 [0066.429] SetErrorMode (uMode=0x1) returned 0x0 [0066.429] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158)) returned 1 [0066.431] SetErrorMode (uMode=0x0) returned 0x1 [0066.432] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupEngine.dll", lpFilePart=0x0) returned 0x25 [0066.432] SetErrorMode (uMode=0x1) returned 0x0 [0066.432] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.432] GetFileType (hFile=0x30c) returned 0x1 [0066.432] SetErrorMode (uMode=0x0) returned 0x1 [0066.432] GetFileType (hFile=0x30c) returned 0x1 [0066.432] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xb5759 [0066.432] ReadFile (in: hFile=0x30c, lpBuffer=0x310d1e8, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x310d1e8*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0066.435] CloseHandle (hObject=0x30c) returned 1 [0066.436] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupEngine.dll", lpFilePart=0x0) returned 0x25 [0066.436] SetErrorMode (uMode=0x1) returned 0x0 [0066.436] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.436] GetFileType (hFile=0x30c) returned 0x1 [0066.436] SetErrorMode (uMode=0x0) returned 0x1 [0066.436] GetFileType (hFile=0x30c) returned 0x1 [0066.436] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0xc5158 [0066.436] SetFilePointer (in: hFile=0x30c, lDistanceToMove=743257, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0xb5759 [0066.436] SetEndOfFile (hFile=0x30c) returned 1 [0066.439] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.439] CloseHandle (hObject=0x30c) returned 1 [0066.459] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupEngine.dll", lpFilePart=0x0) returned 0x25 [0066.459] SetErrorMode (uMode=0x1) returned 0x0 [0066.459] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.459] GetFileType (hFile=0x30c) returned 0x1 [0066.459] SetErrorMode (uMode=0x0) returned 0x1 [0066.459] GetFileType (hFile=0x30c) returned 0x1 [0066.459] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0xb5759 [0066.459] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.460] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.460] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.460] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.460] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.461] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.461] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.461] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.461] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.461] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.461] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.468] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.468] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.468] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.468] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.468] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.468] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.468] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.469] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.472] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.472] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.472] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.473] WriteFile (in: hFile=0x30c, lpBuffer=0x318f2e0*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x318f2e0*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0066.473] CloseHandle (hObject=0x30c) returned 1 [0066.531] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupEngine.dll", lpFilePart=0x0) returned 0x25 [0066.531] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupEngine.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x55 [0066.531] SetErrorMode (uMode=0x1) returned 0x0 [0066.531] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xddb6f7d3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xcc418)) returned 1 [0066.531] SetErrorMode (uMode=0x0) returned 0x1 [0066.531] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), lpNewFileName="C:\\588bce7c90097ed212\\SetupEngine.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.532] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupEngine.dll", lpFilePart=0x0) returned 0x25 [0066.532] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll")) returned 0 [0066.532] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.dll", lpFilePart=0x0) returned 0x21 [0066.532] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.dll", lpFilePart=0x0) returned 0x21 [0066.532] SetErrorMode (uMode=0x1) returned 0x0 [0066.532] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150)) returned 1 [0066.533] SetErrorMode (uMode=0x0) returned 0x1 [0066.533] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.dll", lpFilePart=0x0) returned 0x21 [0066.533] SetErrorMode (uMode=0x1) returned 0x0 [0066.533] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.533] GetFileType (hFile=0x30c) returned 0x1 [0066.533] SetErrorMode (uMode=0x0) returned 0x1 [0066.533] GetFileType (hFile=0x30c) returned 0x1 [0066.533] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x38751 [0066.533] ReadFile (in: hFile=0x30c, lpBuffer=0x3191220, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3191220*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0066.536] CloseHandle (hObject=0x30c) returned 1 [0066.536] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.dll", lpFilePart=0x0) returned 0x21 [0066.536] SetErrorMode (uMode=0x1) returned 0x0 [0066.536] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.536] GetFileType (hFile=0x30c) returned 0x1 [0066.536] SetErrorMode (uMode=0x0) returned 0x1 [0066.536] GetFileType (hFile=0x30c) returned 0x1 [0066.536] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x48150 [0066.536] SetFilePointer (in: hFile=0x30c, lDistanceToMove=231249, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x38751 [0066.536] SetEndOfFile (hFile=0x30c) returned 1 [0066.539] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.539] CloseHandle (hObject=0x30c) returned 1 [0066.564] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.dll", lpFilePart=0x0) returned 0x21 [0066.564] SetErrorMode (uMode=0x1) returned 0x0 [0066.564] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.564] GetFileType (hFile=0x30c) returned 0x1 [0066.564] SetErrorMode (uMode=0x0) returned 0x1 [0066.565] GetFileType (hFile=0x30c) returned 0x1 [0066.565] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x38751 [0066.565] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.566] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.566] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.566] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.566] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.566] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.566] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.567] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.568] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.568] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.568] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.568] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.568] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.568] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.568] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.569] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.569] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.569] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.569] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.569] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.569] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.570] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.570] WriteFile (in: hFile=0x30c, lpBuffer=0x3213288*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3213288*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0066.570] CloseHandle (hObject=0x30c) returned 1 [0066.578] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.dll", lpFilePart=0x0) returned 0x21 [0066.579] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x51 [0066.579] SetErrorMode (uMode=0x1) returned 0x0 [0066.579] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xddbe1bac, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x4f410)) returned 1 [0066.579] SetErrorMode (uMode=0x0) returned 0x1 [0066.579] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), lpNewFileName="C:\\588bce7c90097ed212\\SetupUi.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\setupui.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.579] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.dll", lpFilePart=0x0) returned 0x21 [0066.579] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll")) returned 0 [0066.580] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.xsd", lpFilePart=0x0) returned 0x21 [0066.580] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.xsd", lpFilePart=0x0) returned 0x21 [0066.580] SetErrorMode (uMode=0x1) returned 0x0 [0066.580] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8)) returned 1 [0066.580] SetErrorMode (uMode=0x0) returned 0x1 [0066.580] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.xsd", lpFilePart=0x0) returned 0x21 [0066.580] SetErrorMode (uMode=0x1) returned 0x0 [0066.580] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.580] GetFileType (hFile=0x30c) returned 0x1 [0066.580] SetErrorMode (uMode=0x0) returned 0x1 [0066.580] GetFileType (hFile=0x30c) returned 0x1 [0066.580] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-30069, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x33 [0066.580] ReadFile (in: hFile=0x30c, lpBuffer=0x32151a8, nNumberOfBytesToRead=0x7575, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x32151a8*, lpNumberOfBytesRead=0xf1e6f8*=0x7575, lpOverlapped=0x0) returned 1 [0066.595] CloseHandle (hObject=0x30c) returned 1 [0066.595] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.xsd", lpFilePart=0x0) returned 0x21 [0066.595] SetErrorMode (uMode=0x1) returned 0x0 [0066.595] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.595] GetFileType (hFile=0x30c) returned 0x1 [0066.595] SetErrorMode (uMode=0x0) returned 0x1 [0066.595] GetFileType (hFile=0x30c) returned 0x1 [0066.595] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x75a8 [0066.595] SetFilePointer (in: hFile=0x30c, lDistanceToMove=51, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x33 [0066.595] SetEndOfFile (hFile=0x30c) returned 1 [0066.598] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.598] CloseHandle (hObject=0x30c) returned 1 [0066.607] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.xsd", lpFilePart=0x0) returned 0x21 [0066.607] SetErrorMode (uMode=0x1) returned 0x0 [0066.607] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.607] GetFileType (hFile=0x30c) returned 0x1 [0066.608] SetErrorMode (uMode=0x0) returned 0x1 [0066.608] GetFileType (hFile=0x30c) returned 0x1 [0066.608] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x33 [0066.608] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.609] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.609] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.609] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.609] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.610] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.610] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.610] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.610] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.610] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.610] WriteFile (in: hFile=0x30c, lpBuffer=0x32640e8*, nNumberOfBytesToWrite=0xb6b, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32640e8*, lpNumberOfBytesWritten=0xf1e698*=0xb6b, lpOverlapped=0x0) returned 1 [0066.611] CloseHandle (hObject=0x30c) returned 1 [0066.612] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.xsd", lpFilePart=0x0) returned 0x21 [0066.612] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.xsd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x51 [0066.612] SetErrorMode (uMode=0x1) returned 0x0 [0066.612] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0xddc2e057, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xab9e)) returned 1 [0066.612] SetErrorMode (uMode=0x0) returned 0x1 [0066.612] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), lpNewFileName="C:\\588bce7c90097ed212\\SetupUi.xsd[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.613] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUi.xsd", lpFilePart=0x0) returned 0x21 [0066.613] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd")) returned 0 [0066.613] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUtility.exe", lpFilePart=0x0) returned 0x26 [0066.613] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUtility.exe", lpFilePart=0x0) returned 0x26 [0066.613] SetErrorMode (uMode=0x1) returned 0x0 [0066.613] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758)) returned 1 [0066.613] SetErrorMode (uMode=0x0) returned 0x1 [0066.613] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUtility.exe", lpFilePart=0x0) returned 0x26 [0066.614] SetErrorMode (uMode=0x1) returned 0x0 [0066.614] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.614] GetFileType (hFile=0x30c) returned 0x1 [0066.614] SetErrorMode (uMode=0x0) returned 0x1 [0066.614] GetFileType (hFile=0x30c) returned 0x1 [0066.614] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x7d59 [0066.614] ReadFile (in: hFile=0x30c, lpBuffer=0x3266028, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3266028*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0066.616] CloseHandle (hObject=0x30c) returned 1 [0066.616] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUtility.exe", lpFilePart=0x0) returned 0x26 [0066.616] SetErrorMode (uMode=0x1) returned 0x0 [0066.616] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.617] GetFileType (hFile=0x30c) returned 0x1 [0066.617] SetErrorMode (uMode=0x0) returned 0x1 [0066.617] GetFileType (hFile=0x30c) returned 0x1 [0066.617] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x17758 [0066.617] SetFilePointer (in: hFile=0x30c, lDistanceToMove=32089, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x7d59 [0066.617] SetEndOfFile (hFile=0x30c) returned 1 [0066.622] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.622] CloseHandle (hObject=0x30c) returned 1 [0066.649] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUtility.exe", lpFilePart=0x0) returned 0x26 [0066.649] SetErrorMode (uMode=0x1) returned 0x0 [0066.649] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.649] GetFileType (hFile=0x30c) returned 0x1 [0066.649] SetErrorMode (uMode=0x0) returned 0x1 [0066.649] GetFileType (hFile=0x30c) returned 0x1 [0066.649] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x7d59 [0066.649] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.650] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.651] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.651] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.651] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.651] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.651] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.652] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.652] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.652] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.652] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.652] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.652] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.652] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.653] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.653] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.653] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.653] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.653] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.653] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.654] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.654] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.654] WriteFile (in: hFile=0x30c, lpBuffer=0x32e80d8*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x32e80d8*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0066.654] CloseHandle (hObject=0x30c) returned 1 [0066.660] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUtility.exe", lpFilePart=0x0) returned 0x26 [0066.660] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUtility.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x56 [0066.660] SetErrorMode (uMode=0x1) returned 0x0 [0066.660] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xddca09ab, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1ea18)) returned 1 [0066.660] SetErrorMode (uMode=0x0) returned 0x1 [0066.660] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), lpNewFileName="C:\\588bce7c90097ed212\\SetupUtility.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.661] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SetupUtility.exe", lpFilePart=0x0) returned 0x26 [0066.661] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe")) returned 0 [0066.661] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SplashScreen.bmp", lpFilePart=0x0) returned 0x26 [0066.661] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SplashScreen.bmp", lpFilePart=0x0) returned 0x26 [0066.661] SetErrorMode (uMode=0x1) returned 0x0 [0066.661] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078)) returned 1 [0066.661] SetErrorMode (uMode=0x0) returned 0x1 [0066.661] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SplashScreen.bmp", lpFilePart=0x0) returned 0x26 [0066.661] SetErrorMode (uMode=0x1) returned 0x0 [0066.661] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.661] GetFileType (hFile=0x30c) returned 0x1 [0066.661] SetErrorMode (uMode=0x0) returned 0x1 [0066.661] GetFileType (hFile=0x30c) returned 0x1 [0066.661] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-41067, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xd [0066.661] ReadFile (in: hFile=0x30c, lpBuffer=0x32ea038, nNumberOfBytesToRead=0xa06b, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x32ea038*, lpNumberOfBytesRead=0xf1e6f8*=0xa06b, lpOverlapped=0x0) returned 1 [0066.664] CloseHandle (hObject=0x30c) returned 1 [0066.664] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SplashScreen.bmp", lpFilePart=0x0) returned 0x26 [0066.664] SetErrorMode (uMode=0x1) returned 0x0 [0066.664] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.664] GetFileType (hFile=0x30c) returned 0x1 [0066.664] SetErrorMode (uMode=0x0) returned 0x1 [0066.664] GetFileType (hFile=0x30c) returned 0x1 [0066.664] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0xa078 [0066.664] SetFilePointer (in: hFile=0x30c, lDistanceToMove=13, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0xd [0066.664] SetEndOfFile (hFile=0x30c) returned 1 [0066.667] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.667] CloseHandle (hObject=0x30c) returned 1 [0066.719] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SplashScreen.bmp", lpFilePart=0x0) returned 0x26 [0066.719] SetErrorMode (uMode=0x1) returned 0x0 [0066.719] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.719] GetFileType (hFile=0x30c) returned 0x1 [0066.719] SetErrorMode (uMode=0x0) returned 0x1 [0066.719] GetFileType (hFile=0x30c) returned 0x1 [0066.719] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0xd [0066.719] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.720] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.720] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.720] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.721] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.721] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.721] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.721] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.721] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.721] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.722] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.722] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.722] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.722] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.722] WriteFile (in: hFile=0x30c, lpBuffer=0x2fe8120*, nNumberOfBytesToWrite=0xa13, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x2fe8120*, lpNumberOfBytesWritten=0xf1e698*=0xa13, lpOverlapped=0x0) returned 1 [0066.722] CloseHandle (hObject=0x30c) returned 1 [0066.724] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SplashScreen.bmp", lpFilePart=0x0) returned 0x26 [0066.724] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SplashScreen.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x56 [0066.724] SetErrorMode (uMode=0x1) returned 0x0 [0066.724] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xddd392bb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xea20)) returned 1 [0066.725] SetErrorMode (uMode=0x0) returned 0x1 [0066.725] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.725] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\SplashScreen.bmp", lpFilePart=0x0) returned 0x26 [0066.725] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp")) returned 0 [0066.725] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\sqmapi.dll", lpFilePart=0x0) returned 0x20 [0066.725] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\sqmapi.dll", lpFilePart=0x0) returned 0x20 [0066.725] SetErrorMode (uMode=0x1) returned 0x0 [0066.725] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420)) returned 1 [0066.725] SetErrorMode (uMode=0x0) returned 0x1 [0066.726] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\sqmapi.dll", lpFilePart=0x0) returned 0x20 [0066.726] SetErrorMode (uMode=0x1) returned 0x0 [0066.726] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.726] GetFileType (hFile=0x30c) returned 0x1 [0066.726] SetErrorMode (uMode=0x0) returned 0x1 [0066.726] GetFileType (hFile=0x30c) returned 0x1 [0066.726] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x13a21 [0066.726] ReadFile (in: hFile=0x30c, lpBuffer=0x2fea060, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x2fea060*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0066.730] CloseHandle (hObject=0x30c) returned 1 [0066.730] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\sqmapi.dll", lpFilePart=0x0) returned 0x20 [0066.730] SetErrorMode (uMode=0x1) returned 0x0 [0066.730] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.730] GetFileType (hFile=0x30c) returned 0x1 [0066.730] SetErrorMode (uMode=0x0) returned 0x1 [0066.730] GetFileType (hFile=0x30c) returned 0x1 [0066.730] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x23420 [0066.730] SetFilePointer (in: hFile=0x30c, lDistanceToMove=80417, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x13a21 [0066.731] SetEndOfFile (hFile=0x30c) returned 1 [0066.733] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0066.733] CloseHandle (hObject=0x30c) returned 1 [0066.750] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\sqmapi.dll", lpFilePart=0x0) returned 0x20 [0066.750] SetErrorMode (uMode=0x1) returned 0x0 [0066.750] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.750] GetFileType (hFile=0x30c) returned 0x1 [0066.750] SetErrorMode (uMode=0x0) returned 0x1 [0066.751] GetFileType (hFile=0x30c) returned 0x1 [0066.751] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x13a21 [0066.751] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.752] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.752] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.752] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.752] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.752] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.752] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.753] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.753] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.753] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.753] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.753] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.753] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.754] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.754] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.754] WriteFile (in: hFile=0x30c, lpBuffer=0x306dd40*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x306dd40*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0066.755] CloseHandle (hObject=0x30c) returned 1 [0066.762] SetErrorMode (uMode=0x1) returned 0x0 [0066.763] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xdddae86c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2a6e0)) returned 1 [0066.763] SetErrorMode (uMode=0x0) returned 0x1 [0066.763] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), lpNewFileName="C:\\588bce7c90097ed212\\sqmapi.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.764] SetErrorMode (uMode=0x1) returned 0x0 [0066.764] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704)) returned 1 [0066.764] SetErrorMode (uMode=0x0) returned 0x1 [0066.764] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Strings.xml", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Strings.xml", lpFilePart=0x0) returned 0x21 [0066.764] SetErrorMode (uMode=0x1) returned 0x0 [0066.764] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.765] SetErrorMode (uMode=0x0) returned 0x1 [0066.765] GetFileType (hFile=0x30c) returned 0x1 [0066.765] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-14040, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x2c [0066.767] CloseHandle (hObject=0x30c) returned 1 [0066.768] SetErrorMode (uMode=0x1) returned 0x0 [0066.768] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.768] SetErrorMode (uMode=0x0) returned 0x1 [0066.768] GetFileType (hFile=0x30c) returned 0x1 [0066.768] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x3704 [0066.771] CloseHandle (hObject=0x30c) returned 1 [0066.773] SetErrorMode (uMode=0x1) returned 0x0 [0066.773] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.773] SetErrorMode (uMode=0x0) returned 0x1 [0066.773] GetFileType (hFile=0x30c) returned 0x1 [0066.773] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x2c [0066.775] CloseHandle (hObject=0x30c) returned 1 [0066.775] SetErrorMode (uMode=0x1) returned 0x0 [0066.775] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xdddd1a19, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x503f)) returned 1 [0066.775] SetErrorMode (uMode=0x0) returned 0x1 [0066.775] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Strings.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\strings.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.776] SetErrorMode (uMode=0x1) returned 0x0 [0066.776] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2)) returned 1 [0066.776] SetErrorMode (uMode=0x0) returned 0x1 [0066.776] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\UiInfo.xml", lpFilePart=0x0) returned 0x20 [0066.776] SetErrorMode (uMode=0x1) returned 0x0 [0066.776] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.776] SetErrorMode (uMode=0x0) returned 0x1 [0066.776] GetFileType (hFile=0x30c) returned 0x1 [0066.776] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-38844, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x36 [0066.822] CloseHandle (hObject=0x30c) returned 1 [0066.822] SetErrorMode (uMode=0x1) returned 0x0 [0066.822] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.822] SetErrorMode (uMode=0x0) returned 0x1 [0066.822] GetFileType (hFile=0x30c) returned 0x1 [0066.822] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x97f2 [0066.825] CloseHandle (hObject=0x30c) returned 1 [0066.832] SetErrorMode (uMode=0x1) returned 0x0 [0066.832] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.833] SetErrorMode (uMode=0x0) returned 0x1 [0066.833] GetFileType (hFile=0x30c) returned 0x1 [0066.833] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x36 [0066.835] CloseHandle (hObject=0x30c) returned 1 [0066.835] SetErrorMode (uMode=0x1) returned 0x0 [0066.835] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0xdde440f4, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xdda1)) returned 1 [0066.835] SetErrorMode (uMode=0x0) returned 0x1 [0066.835] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\UiInfo.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.836] SetErrorMode (uMode=0x1) returned 0x0 [0066.836] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688)) returned 1 [0066.836] SetErrorMode (uMode=0x0) returned 0x1 [0066.836] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\watermark.bmp", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\watermark.bmp", lpFilePart=0x0) returned 0x23 [0066.836] SetErrorMode (uMode=0x1) returned 0x0 [0066.836] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.836] SetErrorMode (uMode=0x0) returned 0x1 [0066.836] GetFileType (hFile=0x30c) returned 0x1 [0066.836] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x9c89 [0066.838] CloseHandle (hObject=0x30c) returned 1 [0066.838] SetErrorMode (uMode=0x1) returned 0x0 [0066.838] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.839] SetErrorMode (uMode=0x0) returned 0x1 [0066.839] GetFileType (hFile=0x30c) returned 0x1 [0066.839] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x19688 [0066.841] CloseHandle (hObject=0x30c) returned 1 [0066.855] SetErrorMode (uMode=0x1) returned 0x0 [0066.855] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.855] SetErrorMode (uMode=0x0) returned 0x1 [0066.855] GetFileType (hFile=0x30c) returned 0x1 [0066.855] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x9c89 [0066.858] CloseHandle (hObject=0x30c) returned 1 [0066.858] SetErrorMode (uMode=0x1) returned 0x0 [0066.858] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0xdde905f6, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x20948)) returned 1 [0066.859] SetErrorMode (uMode=0x0) returned 0x1 [0066.859] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\watermark.bmp[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.859] SetErrorMode (uMode=0x1) returned 0x0 [0066.859] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113)) returned 1 [0066.918] SetErrorMode (uMode=0x0) returned 0x1 [0066.918] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu", lpFilePart=0x0) returned 0x37 [0066.918] SetErrorMode (uMode=0x1) returned 0x0 [0066.919] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.919] SetErrorMode (uMode=0x0) returned 0x1 [0066.919] GetFileType (hFile=0x30c) returned 0x1 [0066.919] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x4e5714 [0066.923] CloseHandle (hObject=0x30c) returned 1 [0066.923] SetErrorMode (uMode=0x1) returned 0x0 [0066.923] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.923] SetErrorMode (uMode=0x0) returned 0x1 [0066.923] GetFileType (hFile=0x30c) returned 0x1 [0066.923] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x4f5113 [0066.926] CloseHandle (hObject=0x30c) returned 1 [0066.948] SetErrorMode (uMode=0x1) returned 0x0 [0066.948] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0066.948] SetErrorMode (uMode=0x0) returned 0x1 [0066.949] GetFileType (hFile=0x30c) returned 0x1 [0066.949] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x4e5714 [0066.951] CloseHandle (hObject=0x30c) returned 1 [0066.952] SetErrorMode (uMode=0x1) returned 0x0 [0066.952] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0xddf755e6, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x4fc3d3)) returned 1 [0066.952] SetErrorMode (uMode=0x0) returned 0x1 [0066.952] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0066.952] SetErrorMode (uMode=0x1) returned 0x0 [0066.952] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520)) returned 1 [0066.953] SetErrorMode (uMode=0x0) returned 0x1 [0066.953] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu", lpFilePart=0x0) returned 0x37 [0066.953] SetErrorMode (uMode=0x1) returned 0x0 [0066.953] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.953] SetErrorMode (uMode=0x0) returned 0x1 [0066.953] GetFileType (hFile=0x30c) returned 0x1 [0066.953] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x207b21 [0066.955] CloseHandle (hObject=0x30c) returned 1 [0066.955] SetErrorMode (uMode=0x1) returned 0x0 [0066.955] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0066.955] SetErrorMode (uMode=0x0) returned 0x1 [0066.955] GetFileType (hFile=0x30c) returned 0x1 [0066.955] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x217520 [0066.958] CloseHandle (hObject=0x30c) returned 1 [0067.006] SetErrorMode (uMode=0x1) returned 0x0 [0067.006] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.007] SetErrorMode (uMode=0x0) returned 0x1 [0067.007] GetFileType (hFile=0x30c) returned 0x1 [0067.007] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x207b21 [0067.010] CloseHandle (hObject=0x30c) returned 1 [0067.010] SetErrorMode (uMode=0x1) returned 0x0 [0067.010] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0xde00dd79, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x21e7e0)) returned 1 [0067.010] SetErrorMode (uMode=0x0) returned 0x1 [0067.010] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.011] SetErrorMode (uMode=0x1) returned 0x0 [0067.011] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce)) returned 1 [0067.011] SetErrorMode (uMode=0x0) returned 0x1 [0067.011] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu", lpFilePart=0x0) returned 0x37 [0067.011] SetErrorMode (uMode=0x1) returned 0x0 [0067.011] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.011] SetErrorMode (uMode=0x0) returned 0x1 [0067.011] GetFileType (hFile=0x30c) returned 0x1 [0067.011] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x4cb7cf [0067.013] CloseHandle (hObject=0x30c) returned 1 [0067.013] SetErrorMode (uMode=0x1) returned 0x0 [0067.013] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.013] SetErrorMode (uMode=0x0) returned 0x1 [0067.013] GetFileType (hFile=0x30c) returned 0x1 [0067.014] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x4db1ce [0067.016] CloseHandle (hObject=0x30c) returned 1 [0067.030] SetErrorMode (uMode=0x1) returned 0x0 [0067.030] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.030] SetErrorMode (uMode=0x0) returned 0x1 [0067.030] GetFileType (hFile=0x30c) returned 0x1 [0067.030] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x4cb7cf [0067.032] CloseHandle (hObject=0x30c) returned 1 [0067.033] SetErrorMode (uMode=0x1) returned 0x0 [0067.033] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0xde034295, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x4e248e)) returned 1 [0067.033] SetErrorMode (uMode=0x0) returned 0x1 [0067.033] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.033] SetErrorMode (uMode=0x1) returned 0x0 [0067.033] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9)) returned 1 [0067.033] SetErrorMode (uMode=0x0) returned 0x1 [0067.034] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu", lpFilePart=0x0) returned 0x37 [0067.034] SetErrorMode (uMode=0x1) returned 0x0 [0067.034] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.034] SetErrorMode (uMode=0x0) returned 0x1 [0067.034] GetFileType (hFile=0x30c) returned 0x1 [0067.034] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1fb2fa [0067.079] CloseHandle (hObject=0x30c) returned 1 [0067.080] SetErrorMode (uMode=0x1) returned 0x0 [0067.080] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.080] SetErrorMode (uMode=0x0) returned 0x1 [0067.080] GetFileType (hFile=0x30c) returned 0x1 [0067.080] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x20acf9 [0067.083] CloseHandle (hObject=0x30c) returned 1 [0067.116] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu", lpFilePart=0x0) returned 0x37 [0067.116] SetErrorMode (uMode=0x1) returned 0x0 [0067.116] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.116] SetErrorMode (uMode=0x0) returned 0x1 [0067.116] GetFileType (hFile=0x30c) returned 0x1 [0067.116] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1fb2fa [0067.197] CloseHandle (hObject=0x30c) returned 1 [0067.197] SetErrorMode (uMode=0x1) returned 0x0 [0067.197] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xde1d7be8, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x211fb9)) returned 1 [0067.197] SetErrorMode (uMode=0x0) returned 0x1 [0067.197] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.198] SetErrorMode (uMode=0x1) returned 0x0 [0067.198] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.198] SetErrorMode (uMode=0x0) returned 0x1 [0067.198] GetFileType (hFile=0x30c) returned 0x1 [0067.199] CloseHandle (hObject=0x30c) returned 1 [0067.200] SetErrorMode (uMode=0x1) returned 0x0 [0067.200] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0xf1e570 | out: lpFindFileData=0xf1e570*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xde1d7be8, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xde1d7be8, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0067.200] SetErrorMode (uMode=0x0) returned 0x1 [0067.200] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0067.200] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0067.200] CoTaskMemFree (pv=0x10bc9c0) [0067.200] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0067.201] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x81cd874e, Data2=0xb484, Data3=0x4b64, Data4=([0]=0xb5, [1]=0x11, [2]=0x28, [3]=0x28, [4]=0xa9, [5]=0xbd, [6]=0xf6, [7]=0x5e))) returned 0x0 [0067.201] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0067.201] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0067.201] CoTaskMemFree (pv=0x10bd8a0) [0067.201] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0067.201] SetErrorMode (uMode=0x1) returned 0x0 [0067.201] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3350 [0067.202] SetErrorMode (uMode=0x0) returned 0x1 [0067.202] SetErrorMode (uMode=0x1) returned 0x0 [0067.203] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f)) returned 1 [0067.203] SetErrorMode (uMode=0x0) returned 0x1 [0067.204] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1025\\eula.rtf", lpFilePart=0x0) returned 0x23 [0067.204] SetErrorMode (uMode=0x1) returned 0x0 [0067.204] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.204] SetErrorMode (uMode=0x0) returned 0x1 [0067.204] GetFileType (hFile=0x30c) returned 0x1 [0067.204] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-7488, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4f [0067.206] CloseHandle (hObject=0x30c) returned 1 [0067.206] SetErrorMode (uMode=0x1) returned 0x0 [0067.206] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.206] SetErrorMode (uMode=0x0) returned 0x1 [0067.206] GetFileType (hFile=0x30c) returned 0x1 [0067.206] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x1d8f [0067.208] CloseHandle (hObject=0x30c) returned 1 [0067.210] SetErrorMode (uMode=0x1) returned 0x0 [0067.210] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.210] SetErrorMode (uMode=0x0) returned 0x1 [0067.210] GetFileType (hFile=0x30c) returned 0x1 [0067.210] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4f [0067.211] CloseHandle (hObject=0x30c) returned 1 [0067.211] SetErrorMode (uMode=0x1) returned 0x0 [0067.211] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xde1d7be8, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2b0e)) returned 1 [0067.211] SetErrorMode (uMode=0x0) returned 0x1 [0067.211] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.214] SetErrorMode (uMode=0x1) returned 0x0 [0067.214] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6)) returned 1 [0067.215] SetErrorMode (uMode=0x0) returned 0x1 [0067.215] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0067.215] SetErrorMode (uMode=0x1) returned 0x0 [0067.215] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.215] SetErrorMode (uMode=0x0) returned 0x1 [0067.215] GetFileType (hFile=0x30c) returned 0x1 [0067.215] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x27e7 [0067.217] CloseHandle (hObject=0x30c) returned 1 [0067.217] SetErrorMode (uMode=0x1) returned 0x0 [0067.218] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.218] SetErrorMode (uMode=0x0) returned 0x1 [0067.218] GetFileType (hFile=0x30c) returned 0x1 [0067.218] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x121e6 [0067.220] CloseHandle (hObject=0x30c) returned 1 [0067.233] SetErrorMode (uMode=0x1) returned 0x0 [0067.233] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.234] SetErrorMode (uMode=0x0) returned 0x1 [0067.234] GetFileType (hFile=0x30c) returned 0x1 [0067.234] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x27e7 [0067.237] CloseHandle (hObject=0x30c) returned 1 [0067.237] SetErrorMode (uMode=0x1) returned 0x0 [0067.237] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xde223df1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x194a6)) returned 1 [0067.237] SetErrorMode (uMode=0x0) returned 0x1 [0067.237] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.237] SetErrorMode (uMode=0x1) returned 0x0 [0067.237] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358)) returned 1 [0067.238] SetErrorMode (uMode=0x0) returned 0x1 [0067.238] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1025\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0067.238] SetErrorMode (uMode=0x1) returned 0x0 [0067.238] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.238] SetErrorMode (uMode=0x0) returned 0x1 [0067.238] GetFileType (hFile=0x30c) returned 0x1 [0067.238] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-17199, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x29 [0067.279] CloseHandle (hObject=0x30c) returned 1 [0067.279] SetErrorMode (uMode=0x1) returned 0x0 [0067.279] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.279] SetErrorMode (uMode=0x0) returned 0x1 [0067.280] GetFileType (hFile=0x30c) returned 0x1 [0067.280] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4358 [0067.282] CloseHandle (hObject=0x30c) returned 1 [0067.285] SetErrorMode (uMode=0x1) returned 0x0 [0067.285] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.285] SetErrorMode (uMode=0x0) returned 0x1 [0067.285] GetFileType (hFile=0x30c) returned 0x1 [0067.285] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x29 [0067.287] CloseHandle (hObject=0x30c) returned 1 [0067.287] SetErrorMode (uMode=0x1) returned 0x0 [0067.287] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xde296717, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x623c)) returned 1 [0067.287] SetErrorMode (uMode=0x0) returned 0x1 [0067.287] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.287] SetErrorMode (uMode=0x1) returned 0x0 [0067.288] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1025\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.288] SetErrorMode (uMode=0x0) returned 0x1 [0067.288] GetFileType (hFile=0x30c) returned 0x1 [0067.290] CloseHandle (hObject=0x30c) returned 1 [0067.290] SetErrorMode (uMode=0x1) returned 0x0 [0067.291] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xde296717, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xde296717, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3410 [0067.291] SetErrorMode (uMode=0x0) returned 0x1 [0067.291] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0067.291] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0067.291] CoTaskMemFree (pv=0x10bd680) [0067.291] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0067.291] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xfcae0062, Data2=0xeba8, Data3=0x47b4, Data4=([0]=0xb7, [1]=0xfa, [2]=0x77, [3]=0x1b, [4]=0x4c, [5]=0x4f, [6]=0x52, [7]=0xd0))) returned 0x0 [0067.291] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0067.291] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0067.291] CoTaskMemFree (pv=0x10bd8a0) [0067.291] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0067.291] SetErrorMode (uMode=0x1) returned 0x0 [0067.291] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0067.292] SetErrorMode (uMode=0x0) returned 0x1 [0067.292] SetErrorMode (uMode=0x1) returned 0x0 [0067.292] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5)) returned 1 [0067.292] SetErrorMode (uMode=0x0) returned 0x1 [0067.292] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1028\\eula.rtf", lpFilePart=0x0) returned 0x23 [0067.293] SetErrorMode (uMode=0x1) returned 0x0 [0067.293] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.293] SetErrorMode (uMode=0x0) returned 0x1 [0067.293] GetFileType (hFile=0x30c) returned 0x1 [0067.293] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-6201, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x6c [0067.295] CloseHandle (hObject=0x30c) returned 1 [0067.295] SetErrorMode (uMode=0x1) returned 0x0 [0067.295] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.295] SetErrorMode (uMode=0x0) returned 0x1 [0067.295] GetFileType (hFile=0x30c) returned 0x1 [0067.295] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x18a5 [0067.297] CloseHandle (hObject=0x30c) returned 1 [0067.298] SetErrorMode (uMode=0x1) returned 0x0 [0067.298] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.299] SetErrorMode (uMode=0x0) returned 0x1 [0067.299] GetFileType (hFile=0x30c) returned 0x1 [0067.299] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x6c [0067.300] CloseHandle (hObject=0x30c) returned 1 [0067.300] SetErrorMode (uMode=0x1) returned 0x0 [0067.300] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xde2bc9b0, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x23d7)) returned 1 [0067.300] SetErrorMode (uMode=0x0) returned 0x1 [0067.300] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.302] SetErrorMode (uMode=0x1) returned 0x0 [0067.302] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90)) returned 1 [0067.303] SetErrorMode (uMode=0x0) returned 0x1 [0067.303] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0067.303] SetErrorMode (uMode=0x1) returned 0x0 [0067.304] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.304] SetErrorMode (uMode=0x0) returned 0x1 [0067.304] GetFileType (hFile=0x30c) returned 0x1 [0067.304] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-60723, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x5d [0067.314] CloseHandle (hObject=0x30c) returned 1 [0067.314] SetErrorMode (uMode=0x1) returned 0x0 [0067.314] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.314] SetErrorMode (uMode=0x0) returned 0x1 [0067.314] GetFileType (hFile=0x30c) returned 0x1 [0067.314] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xed90 [0067.317] CloseHandle (hObject=0x30c) returned 1 [0067.329] SetErrorMode (uMode=0x1) returned 0x0 [0067.329] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.329] SetErrorMode (uMode=0x0) returned 0x1 [0067.329] GetFileType (hFile=0x30c) returned 0x1 [0067.329] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x5d [0067.332] CloseHandle (hObject=0x30c) returned 1 [0067.332] SetErrorMode (uMode=0x1) returned 0x0 [0067.332] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xde308e9b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x15a70)) returned 1 [0067.332] SetErrorMode (uMode=0x0) returned 0x1 [0067.332] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.333] SetErrorMode (uMode=0x1) returned 0x0 [0067.333] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758)) returned 1 [0067.391] SetErrorMode (uMode=0x0) returned 0x1 [0067.391] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1028\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0067.391] SetErrorMode (uMode=0x1) returned 0x0 [0067.392] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.392] SetErrorMode (uMode=0x0) returned 0x1 [0067.392] GetFileType (hFile=0x30c) returned 0x1 [0067.392] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-14157, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xb [0067.394] CloseHandle (hObject=0x30c) returned 1 [0067.394] SetErrorMode (uMode=0x1) returned 0x0 [0067.394] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.394] SetErrorMode (uMode=0x0) returned 0x1 [0067.394] GetFileType (hFile=0x30c) returned 0x1 [0067.394] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x3758 [0067.396] CloseHandle (hObject=0x30c) returned 1 [0067.403] SetErrorMode (uMode=0x1) returned 0x0 [0067.403] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.403] SetErrorMode (uMode=0x0) returned 0x1 [0067.403] GetFileType (hFile=0x30c) returned 0x1 [0067.403] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xb [0067.404] CloseHandle (hObject=0x30c) returned 1 [0067.404] SetErrorMode (uMode=0x1) returned 0x0 [0067.404] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xde3c7893, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50ca)) returned 1 [0067.405] SetErrorMode (uMode=0x0) returned 0x1 [0067.405] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.405] SetErrorMode (uMode=0x1) returned 0x0 [0067.405] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1028\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.406] SetErrorMode (uMode=0x0) returned 0x1 [0067.406] GetFileType (hFile=0x30c) returned 0x1 [0067.407] CloseHandle (hObject=0x30c) returned 1 [0067.407] SetErrorMode (uMode=0x1) returned 0x0 [0067.407] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xde3c7893, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xde3c7893, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3350 [0067.408] SetErrorMode (uMode=0x0) returned 0x1 [0067.408] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0067.408] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0067.408] CoTaskMemFree (pv=0x10bd680) [0067.408] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0067.408] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xa81563c0, Data2=0x2289, Data3=0x4faa, Data4=([0]=0x84, [1]=0x7d, [2]=0xee, [3]=0xd4, [4]=0xad, [5]=0x82, [6]=0x30, [7]=0x12))) returned 0x0 [0067.408] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0067.408] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0067.408] CoTaskMemFree (pv=0x10be120) [0067.408] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0067.408] SetErrorMode (uMode=0x1) returned 0x0 [0067.408] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0067.409] SetErrorMode (uMode=0x0) returned 0x1 [0067.409] SetErrorMode (uMode=0x1) returned 0x0 [0067.409] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e)) returned 1 [0067.410] SetErrorMode (uMode=0x0) returned 0x1 [0067.410] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1029\\eula.rtf", lpFilePart=0x0) returned 0x23 [0067.410] SetErrorMode (uMode=0x1) returned 0x0 [0067.410] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.410] SetErrorMode (uMode=0x0) returned 0x1 [0067.410] GetFileType (hFile=0x30c) returned 0x1 [0067.410] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3627, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x63 [0067.412] CloseHandle (hObject=0x30c) returned 1 [0067.412] SetErrorMode (uMode=0x1) returned 0x0 [0067.412] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.412] SetErrorMode (uMode=0x0) returned 0x1 [0067.412] GetFileType (hFile=0x30c) returned 0x1 [0067.412] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xe8e [0067.414] CloseHandle (hObject=0x30c) returned 1 [0067.418] SetErrorMode (uMode=0x1) returned 0x0 [0067.418] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.418] SetErrorMode (uMode=0x0) returned 0x1 [0067.418] GetFileType (hFile=0x30c) returned 0x1 [0067.418] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x63 [0067.419] CloseHandle (hObject=0x30c) returned 1 [0067.419] SetErrorMode (uMode=0x1) returned 0x0 [0067.419] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xde3eda18, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1522)) returned 1 [0067.419] SetErrorMode (uMode=0x0) returned 0x1 [0067.419] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.421] SetErrorMode (uMode=0x1) returned 0x0 [0067.421] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a)) returned 1 [0067.422] SetErrorMode (uMode=0x0) returned 0x1 [0067.422] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0067.422] SetErrorMode (uMode=0x1) returned 0x0 [0067.422] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.422] SetErrorMode (uMode=0x0) returned 0x1 [0067.422] GetFileType (hFile=0x30c) returned 0x1 [0067.422] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x424b [0067.425] CloseHandle (hObject=0x30c) returned 1 [0067.425] SetErrorMode (uMode=0x1) returned 0x0 [0067.425] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.425] SetErrorMode (uMode=0x0) returned 0x1 [0067.425] GetFileType (hFile=0x30c) returned 0x1 [0067.425] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x13c4a [0067.428] CloseHandle (hObject=0x30c) returned 1 [0067.534] SetErrorMode (uMode=0x1) returned 0x0 [0067.534] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.534] SetErrorMode (uMode=0x0) returned 0x1 [0067.534] GetFileType (hFile=0x30c) returned 0x1 [0067.534] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x424b [0067.537] CloseHandle (hObject=0x30c) returned 1 [0067.537] SetErrorMode (uMode=0x1) returned 0x0 [0067.537] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xde4f8cc7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1af0a)) returned 1 [0067.537] SetErrorMode (uMode=0x0) returned 0x1 [0067.537] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.538] SetErrorMode (uMode=0x1) returned 0x0 [0067.538] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758)) returned 1 [0067.538] SetErrorMode (uMode=0x0) returned 0x1 [0067.538] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1029\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0067.538] SetErrorMode (uMode=0x1) returned 0x0 [0067.538] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.538] SetErrorMode (uMode=0x0) returned 0x1 [0067.538] GetFileType (hFile=0x30c) returned 0x1 [0067.538] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18252, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xc [0067.541] CloseHandle (hObject=0x30c) returned 1 [0067.541] SetErrorMode (uMode=0x1) returned 0x0 [0067.541] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.541] SetErrorMode (uMode=0x0) returned 0x1 [0067.541] GetFileType (hFile=0x30c) returned 0x1 [0067.541] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4758 [0067.543] CloseHandle (hObject=0x30c) returned 1 [0067.547] SetErrorMode (uMode=0x1) returned 0x0 [0067.547] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.547] SetErrorMode (uMode=0x0) returned 0x1 [0067.547] GetFileType (hFile=0x30c) returned 0x1 [0067.547] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xc [0067.548] CloseHandle (hObject=0x30c) returned 1 [0067.548] SetErrorMode (uMode=0x1) returned 0x0 [0067.548] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xde51ec59, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x681f)) returned 1 [0067.548] SetErrorMode (uMode=0x0) returned 0x1 [0067.548] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.549] SetErrorMode (uMode=0x1) returned 0x0 [0067.549] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1029\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.549] SetErrorMode (uMode=0x0) returned 0x1 [0067.549] GetFileType (hFile=0x30c) returned 0x1 [0067.550] CloseHandle (hObject=0x30c) returned 1 [0067.551] SetErrorMode (uMode=0x1) returned 0x0 [0067.551] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xde51ec59, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xde51ec59, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0067.551] SetErrorMode (uMode=0x0) returned 0x1 [0067.551] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0067.551] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0067.551] CoTaskMemFree (pv=0x10bd680) [0067.551] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0067.551] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x50bcb6f0, Data2=0x3b2d, Data3=0x44b5, Data4=([0]=0x98, [1]=0x88, [2]=0x94, [3]=0xdb, [4]=0xba, [5]=0x61, [6]=0xaa, [7]=0x7))) returned 0x0 [0067.551] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0067.551] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0067.551] CoTaskMemFree (pv=0x10bd680) [0067.551] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0067.551] SetErrorMode (uMode=0x1) returned 0x0 [0067.552] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0067.552] SetErrorMode (uMode=0x0) returned 0x1 [0067.552] SetErrorMode (uMode=0x1) returned 0x0 [0067.552] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2)) returned 1 [0067.553] SetErrorMode (uMode=0x0) returned 0x1 [0067.553] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1030\\eula.rtf", lpFilePart=0x0) returned 0x23 [0067.553] SetErrorMode (uMode=0x1) returned 0x0 [0067.553] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.553] SetErrorMode (uMode=0x0) returned 0x1 [0067.553] GetFileType (hFile=0x30c) returned 0x1 [0067.553] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3276, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x26 [0067.698] CloseHandle (hObject=0x30c) returned 1 [0067.698] SetErrorMode (uMode=0x1) returned 0x0 [0067.698] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.698] SetErrorMode (uMode=0x0) returned 0x1 [0067.698] GetFileType (hFile=0x30c) returned 0x1 [0067.698] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xcf2 [0067.700] CloseHandle (hObject=0x30c) returned 1 [0067.701] SetErrorMode (uMode=0x1) returned 0x0 [0067.701] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.701] SetErrorMode (uMode=0x0) returned 0x1 [0067.701] GetFileType (hFile=0x30c) returned 0x1 [0067.701] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x26 [0067.702] CloseHandle (hObject=0x30c) returned 1 [0067.702] SetErrorMode (uMode=0x1) returned 0x0 [0067.702] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xde69c46b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x12e5)) returned 1 [0067.702] SetErrorMode (uMode=0x0) returned 0x1 [0067.703] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.705] SetErrorMode (uMode=0x1) returned 0x0 [0067.705] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4)) returned 1 [0067.706] SetErrorMode (uMode=0x0) returned 0x1 [0067.706] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0067.706] SetErrorMode (uMode=0x1) returned 0x0 [0067.706] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.706] SetErrorMode (uMode=0x0) returned 0x1 [0067.706] GetFileType (hFile=0x30c) returned 0x1 [0067.706] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x35b5 [0067.710] CloseHandle (hObject=0x30c) returned 1 [0067.710] SetErrorMode (uMode=0x1) returned 0x0 [0067.710] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.710] SetErrorMode (uMode=0x0) returned 0x1 [0067.710] GetFileType (hFile=0x30c) returned 0x1 [0067.710] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x12fb4 [0067.712] CloseHandle (hObject=0x30c) returned 1 [0067.725] SetErrorMode (uMode=0x1) returned 0x0 [0067.725] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.726] SetErrorMode (uMode=0x0) returned 0x1 [0067.726] GetFileType (hFile=0x30c) returned 0x1 [0067.726] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x35b5 [0067.729] CloseHandle (hObject=0x30c) returned 1 [0067.730] SetErrorMode (uMode=0x1) returned 0x0 [0067.730] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xde6ec846, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1a274)) returned 1 [0067.730] SetErrorMode (uMode=0x0) returned 0x1 [0067.730] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.730] SetErrorMode (uMode=0x1) returned 0x0 [0067.731] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758)) returned 1 [0067.731] SetErrorMode (uMode=0x0) returned 0x1 [0067.731] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1030\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0067.731] SetErrorMode (uMode=0x1) returned 0x0 [0067.731] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.732] SetErrorMode (uMode=0x0) returned 0x1 [0067.732] GetFileType (hFile=0x30c) returned 0x1 [0067.732] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18252, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xc [0067.734] CloseHandle (hObject=0x30c) returned 1 [0067.734] SetErrorMode (uMode=0x1) returned 0x0 [0067.734] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.734] SetErrorMode (uMode=0x0) returned 0x1 [0067.734] GetFileType (hFile=0x30c) returned 0x1 [0067.734] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4758 [0067.801] CloseHandle (hObject=0x30c) returned 1 [0067.804] SetErrorMode (uMode=0x1) returned 0x0 [0067.804] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.805] SetErrorMode (uMode=0x0) returned 0x1 [0067.805] GetFileType (hFile=0x30c) returned 0x1 [0067.805] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xc [0067.806] CloseHandle (hObject=0x30c) returned 1 [0067.806] SetErrorMode (uMode=0x1) returned 0x0 [0067.806] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xde7933e2, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x681f)) returned 1 [0067.806] SetErrorMode (uMode=0x0) returned 0x1 [0067.806] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.807] SetErrorMode (uMode=0x1) returned 0x0 [0067.807] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1030\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.807] SetErrorMode (uMode=0x0) returned 0x1 [0067.807] GetFileType (hFile=0x30c) returned 0x1 [0067.808] CloseHandle (hObject=0x30c) returned 1 [0067.809] SetErrorMode (uMode=0x1) returned 0x0 [0067.809] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xde7933e2, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xde7933e2, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0067.809] SetErrorMode (uMode=0x0) returned 0x1 [0067.809] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0067.809] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0067.809] CoTaskMemFree (pv=0x10bd8a0) [0067.809] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0067.809] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x4c5c396, Data2=0x482a, Data3=0x47be, Data4=([0]=0x99, [1]=0x37, [2]=0xdd, [3]=0x92, [4]=0x18, [5]=0xb8, [6]=0x91, [7]=0x60))) returned 0x0 [0067.809] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0067.809] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0067.810] CoTaskMemFree (pv=0x10bd680) [0067.810] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0067.810] SetErrorMode (uMode=0x1) returned 0x0 [0067.810] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0067.810] SetErrorMode (uMode=0x0) returned 0x1 [0067.810] SetErrorMode (uMode=0x1) returned 0x0 [0067.811] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b)) returned 1 [0067.811] SetErrorMode (uMode=0x0) returned 0x1 [0067.811] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1031\\eula.rtf", lpFilePart=0x0) returned 0x23 [0067.811] SetErrorMode (uMode=0x1) returned 0x0 [0067.811] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.811] SetErrorMode (uMode=0x0) returned 0x1 [0067.811] GetFileType (hFile=0x30c) returned 0x1 [0067.811] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3393, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1a [0067.813] CloseHandle (hObject=0x30c) returned 1 [0067.813] SetErrorMode (uMode=0x1) returned 0x0 [0067.816] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.816] SetErrorMode (uMode=0x0) returned 0x1 [0067.816] GetFileType (hFile=0x30c) returned 0x1 [0067.816] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xd5b [0067.818] CloseHandle (hObject=0x30c) returned 1 [0067.819] SetErrorMode (uMode=0x1) returned 0x0 [0067.819] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.819] SetErrorMode (uMode=0x0) returned 0x1 [0067.819] GetFileType (hFile=0x30c) returned 0x1 [0067.819] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x1a [0067.820] CloseHandle (hObject=0x30c) returned 1 [0067.820] SetErrorMode (uMode=0x1) returned 0x0 [0067.820] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xde7b9769, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1385)) returned 1 [0067.820] SetErrorMode (uMode=0x0) returned 0x1 [0067.820] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.822] SetErrorMode (uMode=0x1) returned 0x0 [0067.822] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa)) returned 1 [0067.822] SetErrorMode (uMode=0x0) returned 0x1 [0067.823] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0067.823] SetErrorMode (uMode=0x1) returned 0x0 [0067.823] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.823] SetErrorMode (uMode=0x0) returned 0x1 [0067.823] GetFileType (hFile=0x30c) returned 0x1 [0067.823] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x47ab [0067.825] CloseHandle (hObject=0x30c) returned 1 [0067.825] SetErrorMode (uMode=0x1) returned 0x0 [0067.825] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.825] SetErrorMode (uMode=0x0) returned 0x1 [0067.825] GetFileType (hFile=0x30c) returned 0x1 [0067.825] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x141aa [0067.828] CloseHandle (hObject=0x30c) returned 1 [0067.841] SetErrorMode (uMode=0x1) returned 0x0 [0067.841] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.841] SetErrorMode (uMode=0x0) returned 0x1 [0067.841] GetFileType (hFile=0x30c) returned 0x1 [0067.841] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x47ab [0067.844] CloseHandle (hObject=0x30c) returned 1 [0067.844] SetErrorMode (uMode=0x1) returned 0x0 [0067.844] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xde7df91c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b46a)) returned 1 [0067.897] SetErrorMode (uMode=0x0) returned 0x1 [0067.897] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.898] SetErrorMode (uMode=0x1) returned 0x0 [0067.898] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958)) returned 1 [0067.898] SetErrorMode (uMode=0x0) returned 0x1 [0067.898] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1031\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0067.898] SetErrorMode (uMode=0x1) returned 0x0 [0067.898] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.898] SetErrorMode (uMode=0x0) returned 0x1 [0067.898] GetFileType (hFile=0x30c) returned 0x1 [0067.898] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18720, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x38 [0067.900] CloseHandle (hObject=0x30c) returned 1 [0067.900] SetErrorMode (uMode=0x1) returned 0x0 [0067.900] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.900] SetErrorMode (uMode=0x0) returned 0x1 [0067.900] GetFileType (hFile=0x30c) returned 0x1 [0067.900] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4958 [0067.903] CloseHandle (hObject=0x30c) returned 1 [0067.906] SetErrorMode (uMode=0x1) returned 0x0 [0067.906] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.906] SetErrorMode (uMode=0x0) returned 0x1 [0067.906] GetFileType (hFile=0x30c) returned 0x1 [0067.906] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x38 [0067.908] CloseHandle (hObject=0x30c) returned 1 [0067.908] SetErrorMode (uMode=0x1) returned 0x0 [0067.908] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xde89e4df, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6af7)) returned 1 [0067.908] SetErrorMode (uMode=0x0) returned 0x1 [0067.908] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.909] SetErrorMode (uMode=0x1) returned 0x0 [0067.909] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1031\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.910] SetErrorMode (uMode=0x0) returned 0x1 [0067.910] GetFileType (hFile=0x30c) returned 0x1 [0067.911] CloseHandle (hObject=0x30c) returned 1 [0067.911] SetErrorMode (uMode=0x1) returned 0x0 [0067.911] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xde89e4df, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xde89e4df, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0067.911] SetErrorMode (uMode=0x0) returned 0x1 [0067.911] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0067.911] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0067.911] CoTaskMemFree (pv=0x10bc9c0) [0067.911] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0067.911] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xf0b5b7da, Data2=0x59b6, Data3=0x472f, Data4=([0]=0x96, [1]=0x6c, [2]=0xa, [3]=0xfe, [4]=0x89, [5]=0xb6, [6]=0xfe, [7]=0xb5))) returned 0x0 [0067.912] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0067.912] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0067.912] CoTaskMemFree (pv=0x10bd680) [0067.912] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0067.912] SetErrorMode (uMode=0x1) returned 0x0 [0067.912] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0067.913] SetErrorMode (uMode=0x0) returned 0x1 [0067.913] SetErrorMode (uMode=0x1) returned 0x0 [0067.913] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac)) returned 1 [0067.914] SetErrorMode (uMode=0x0) returned 0x1 [0067.914] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1032\\eula.rtf", lpFilePart=0x0) returned 0x23 [0067.914] SetErrorMode (uMode=0x1) returned 0x0 [0067.914] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.914] SetErrorMode (uMode=0x0) returned 0x1 [0067.914] GetFileType (hFile=0x30c) returned 0x1 [0067.914] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-8775, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x65 [0067.925] CloseHandle (hObject=0x30c) returned 1 [0067.925] SetErrorMode (uMode=0x1) returned 0x0 [0067.925] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.925] SetErrorMode (uMode=0x0) returned 0x1 [0067.925] GetFileType (hFile=0x30c) returned 0x1 [0067.925] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x22ac [0067.927] CloseHandle (hObject=0x30c) returned 1 [0067.929] SetErrorMode (uMode=0x1) returned 0x0 [0067.929] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0067.929] SetErrorMode (uMode=0x0) returned 0x1 [0067.929] GetFileType (hFile=0x30c) returned 0x1 [0067.929] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x65 [0067.930] CloseHandle (hObject=0x30c) returned 1 [0067.930] SetErrorMode (uMode=0x1) returned 0x0 [0067.930] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xde8c4775, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x3278)) returned 1 [0067.931] SetErrorMode (uMode=0x0) returned 0x1 [0067.931] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0067.933] SetErrorMode (uMode=0x1) returned 0x0 [0067.933] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c)) returned 1 [0067.933] SetErrorMode (uMode=0x0) returned 0x1 [0067.933] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0067.933] SetErrorMode (uMode=0x1) returned 0x0 [0067.933] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.933] SetErrorMode (uMode=0x0) returned 0x1 [0067.933] GetFileType (hFile=0x30c) returned 0x1 [0067.933] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x570d [0067.935] CloseHandle (hObject=0x30c) returned 1 [0067.935] SetErrorMode (uMode=0x1) returned 0x0 [0067.935] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0067.935] SetErrorMode (uMode=0x0) returned 0x1 [0067.935] GetFileType (hFile=0x30c) returned 0x1 [0067.936] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x1510c [0067.938] CloseHandle (hObject=0x30c) returned 1 [0068.006] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.006] SetErrorMode (uMode=0x1) returned 0x0 [0068.006] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.006] SetErrorMode (uMode=0x0) returned 0x1 [0068.006] GetFileType (hFile=0x30c) returned 0x1 [0068.006] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x570d [0068.010] CloseHandle (hObject=0x30c) returned 1 [0068.010] SetErrorMode (uMode=0x1) returned 0x0 [0068.010] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xde98335d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1c3cc)) returned 1 [0068.010] SetErrorMode (uMode=0x0) returned 0x1 [0068.010] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.011] SetErrorMode (uMode=0x1) returned 0x0 [0068.011] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58)) returned 1 [0068.011] SetErrorMode (uMode=0x0) returned 0x1 [0068.011] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1032\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0068.011] SetErrorMode (uMode=0x1) returned 0x0 [0068.011] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.011] SetErrorMode (uMode=0x0) returned 0x1 [0068.011] GetFileType (hFile=0x30c) returned 0x1 [0068.011] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-19188, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x64 [0068.013] CloseHandle (hObject=0x30c) returned 1 [0068.013] SetErrorMode (uMode=0x1) returned 0x0 [0068.013] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.013] SetErrorMode (uMode=0x0) returned 0x1 [0068.014] GetFileType (hFile=0x30c) returned 0x1 [0068.014] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4b58 [0068.016] CloseHandle (hObject=0x30c) returned 1 [0068.019] SetErrorMode (uMode=0x1) returned 0x0 [0068.019] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.020] SetErrorMode (uMode=0x0) returned 0x1 [0068.020] GetFileType (hFile=0x30c) returned 0x1 [0068.020] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x64 [0068.021] CloseHandle (hObject=0x30c) returned 1 [0068.021] SetErrorMode (uMode=0x1) returned 0x0 [0068.021] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xde9a9765, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6dcf)) returned 1 [0068.021] SetErrorMode (uMode=0x0) returned 0x1 [0068.021] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.022] SetErrorMode (uMode=0x1) returned 0x0 [0068.022] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1032\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.022] SetErrorMode (uMode=0x0) returned 0x1 [0068.022] GetFileType (hFile=0x30c) returned 0x1 [0068.023] CloseHandle (hObject=0x30c) returned 1 [0068.023] SetErrorMode (uMode=0x1) returned 0x0 [0068.024] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xde9a9765, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xde9a9765, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0068.024] SetErrorMode (uMode=0x0) returned 0x1 [0068.024] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0068.024] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0068.024] CoTaskMemFree (pv=0x10be120) [0068.024] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0068.024] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x870cdca8, Data2=0x1b66, Data3=0x4711, Data4=([0]=0xb3, [1]=0xae, [2]=0x77, [3]=0x10, [4]=0x63, [5]=0x2, [6]=0x8d, [7]=0xa2))) returned 0x0 [0068.024] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0068.024] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0068.024] CoTaskMemFree (pv=0x10bc9c0) [0068.024] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0068.024] SetErrorMode (uMode=0x1) returned 0x0 [0068.024] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3b30 [0068.066] SetErrorMode (uMode=0x0) returned 0x1 [0068.066] SetErrorMode (uMode=0x1) returned 0x0 [0068.066] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74)) returned 1 [0068.067] SetErrorMode (uMode=0x0) returned 0x1 [0068.067] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1033\\eula.rtf", lpFilePart=0x0) returned 0x23 [0068.067] SetErrorMode (uMode=0x1) returned 0x0 [0068.067] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.067] SetErrorMode (uMode=0x0) returned 0x1 [0068.067] GetFileType (hFile=0x30c) returned 0x1 [0068.067] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3159, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1d [0068.069] CloseHandle (hObject=0x30c) returned 1 [0068.069] SetErrorMode (uMode=0x1) returned 0x0 [0068.069] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.069] SetErrorMode (uMode=0x0) returned 0x1 [0068.069] GetFileType (hFile=0x30c) returned 0x1 [0068.069] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xc74 [0068.071] CloseHandle (hObject=0x30c) returned 1 [0068.072] SetErrorMode (uMode=0x1) returned 0x0 [0068.072] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.072] SetErrorMode (uMode=0x0) returned 0x1 [0068.072] GetFileType (hFile=0x30c) returned 0x1 [0068.073] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x1d [0068.073] CloseHandle (hObject=0x30c) returned 1 [0068.074] SetErrorMode (uMode=0x1) returned 0x0 [0068.074] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xdea1becb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1230)) returned 1 [0068.074] SetErrorMode (uMode=0x0) returned 0x1 [0068.074] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.077] SetErrorMode (uMode=0x1) returned 0x0 [0068.077] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0)) returned 1 [0068.078] SetErrorMode (uMode=0x0) returned 0x1 [0068.078] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.078] SetErrorMode (uMode=0x1) returned 0x0 [0068.078] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.078] SetErrorMode (uMode=0x0) returned 0x1 [0068.078] GetFileType (hFile=0x30c) returned 0x1 [0068.078] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x33b1 [0068.080] CloseHandle (hObject=0x30c) returned 1 [0068.080] SetErrorMode (uMode=0x1) returned 0x0 [0068.081] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.081] SetErrorMode (uMode=0x0) returned 0x1 [0068.081] GetFileType (hFile=0x30c) returned 0x1 [0068.081] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x12db0 [0068.083] CloseHandle (hObject=0x30c) returned 1 [0068.151] SetErrorMode (uMode=0x1) returned 0x0 [0068.151] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.151] SetErrorMode (uMode=0x0) returned 0x1 [0068.151] GetFileType (hFile=0x30c) returned 0x1 [0068.151] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x33b1 [0068.154] CloseHandle (hObject=0x30c) returned 1 [0068.154] SetErrorMode (uMode=0x1) returned 0x0 [0068.154] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdeadaa93, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1a070)) returned 1 [0068.154] SetErrorMode (uMode=0x0) returned 0x1 [0068.154] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.155] SetErrorMode (uMode=0x1) returned 0x0 [0068.155] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358)) returned 1 [0068.156] SetErrorMode (uMode=0x0) returned 0x1 [0068.156] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1033\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0068.156] SetErrorMode (uMode=0x1) returned 0x0 [0068.156] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.156] SetErrorMode (uMode=0x0) returned 0x1 [0068.157] GetFileType (hFile=0x30c) returned 0x1 [0068.157] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-17199, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x29 [0068.161] CloseHandle (hObject=0x30c) returned 1 [0068.161] SetErrorMode (uMode=0x1) returned 0x0 [0068.161] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.161] SetErrorMode (uMode=0x0) returned 0x1 [0068.161] GetFileType (hFile=0x30c) returned 0x1 [0068.161] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4358 [0068.163] CloseHandle (hObject=0x30c) returned 1 [0068.166] SetErrorMode (uMode=0x1) returned 0x0 [0068.166] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.166] SetErrorMode (uMode=0x0) returned 0x1 [0068.167] GetFileType (hFile=0x30c) returned 0x1 [0068.167] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x29 [0068.168] CloseHandle (hObject=0x30c) returned 1 [0068.168] SetErrorMode (uMode=0x1) returned 0x0 [0068.168] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdeb00ce8, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x623c)) returned 1 [0068.168] SetErrorMode (uMode=0x0) returned 0x1 [0068.168] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.169] SetErrorMode (uMode=0x1) returned 0x0 [0068.169] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1033\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.169] SetErrorMode (uMode=0x0) returned 0x1 [0068.169] GetFileType (hFile=0x30c) returned 0x1 [0068.170] CloseHandle (hObject=0x30c) returned 1 [0068.170] SetErrorMode (uMode=0x1) returned 0x0 [0068.170] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdeb00ce8, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdeb00ce8, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2db0 [0068.170] SetErrorMode (uMode=0x0) returned 0x1 [0068.171] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0068.171] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0068.171] CoTaskMemFree (pv=0x10bc9c0) [0068.171] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0068.171] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x9da3ff7d, Data2=0xfad, Data3=0x4e5b, Data4=([0]=0x90, [1]=0x12, [2]=0x8a, [3]=0x86, [4]=0x6a, [5]=0xe3, [6]=0x76, [7]=0x76))) returned 0x0 [0068.171] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0068.171] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0068.171] CoTaskMemFree (pv=0x10be120) [0068.171] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0068.171] SetErrorMode (uMode=0x1) returned 0x0 [0068.171] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2e70 [0068.171] SetErrorMode (uMode=0x0) returned 0x1 [0068.171] SetErrorMode (uMode=0x1) returned 0x0 [0068.171] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76)) returned 1 [0068.172] SetErrorMode (uMode=0x0) returned 0x1 [0068.172] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1035\\eula.rtf", lpFilePart=0x0) returned 0x23 [0068.172] SetErrorMode (uMode=0x1) returned 0x0 [0068.172] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.172] SetErrorMode (uMode=0x0) returned 0x1 [0068.172] GetFileType (hFile=0x30c) returned 0x1 [0068.172] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3627, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0068.175] CloseHandle (hObject=0x30c) returned 1 [0068.175] SetErrorMode (uMode=0x1) returned 0x0 [0068.175] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.175] SetErrorMode (uMode=0x0) returned 0x1 [0068.175] GetFileType (hFile=0x30c) returned 0x1 [0068.175] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xe76 [0068.177] CloseHandle (hObject=0x30c) returned 1 [0068.178] SetErrorMode (uMode=0x1) returned 0x0 [0068.178] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.178] SetErrorMode (uMode=0x0) returned 0x1 [0068.178] GetFileType (hFile=0x30c) returned 0x1 [0068.178] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4b [0068.179] CloseHandle (hObject=0x30c) returned 1 [0068.179] SetErrorMode (uMode=0x1) returned 0x0 [0068.179] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdeb26f9f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x150a)) returned 1 [0068.179] SetErrorMode (uMode=0x0) returned 0x1 [0068.179] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.182] SetErrorMode (uMode=0x1) returned 0x0 [0068.182] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde)) returned 1 [0068.182] SetErrorMode (uMode=0x0) returned 0x1 [0068.182] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.182] SetErrorMode (uMode=0x1) returned 0x0 [0068.182] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.182] SetErrorMode (uMode=0x0) returned 0x1 [0068.182] GetFileType (hFile=0x30c) returned 0x1 [0068.182] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x32df [0068.184] CloseHandle (hObject=0x30c) returned 1 [0068.184] SetErrorMode (uMode=0x1) returned 0x0 [0068.184] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.185] SetErrorMode (uMode=0x0) returned 0x1 [0068.185] GetFileType (hFile=0x30c) returned 0x1 [0068.185] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x12cde [0068.187] CloseHandle (hObject=0x30c) returned 1 [0068.248] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.248] SetErrorMode (uMode=0x1) returned 0x0 [0068.248] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.250] SetErrorMode (uMode=0x0) returned 0x1 [0068.250] GetFileType (hFile=0x30c) returned 0x1 [0068.250] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x32df [0068.254] CloseHandle (hObject=0x30c) returned 1 [0068.254] SetErrorMode (uMode=0x1) returned 0x0 [0068.254] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdebe5b59, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x19f9e)) returned 1 [0068.254] SetErrorMode (uMode=0x0) returned 0x1 [0068.254] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.256] SetErrorMode (uMode=0x1) returned 0x0 [0068.256] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758)) returned 1 [0068.256] SetErrorMode (uMode=0x0) returned 0x1 [0068.256] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1035\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0068.256] SetErrorMode (uMode=0x1) returned 0x0 [0068.257] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.257] SetErrorMode (uMode=0x0) returned 0x1 [0068.257] GetFileType (hFile=0x30c) returned 0x1 [0068.257] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18252, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xc [0068.260] CloseHandle (hObject=0x30c) returned 1 [0068.260] SetErrorMode (uMode=0x1) returned 0x0 [0068.260] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.261] SetErrorMode (uMode=0x0) returned 0x1 [0068.261] GetFileType (hFile=0x30c) returned 0x1 [0068.261] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4758 [0068.263] CloseHandle (hObject=0x30c) returned 1 [0068.295] SetErrorMode (uMode=0x1) returned 0x0 [0068.295] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.295] SetErrorMode (uMode=0x0) returned 0x1 [0068.295] GetFileType (hFile=0x30c) returned 0x1 [0068.295] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xc [0068.297] CloseHandle (hObject=0x30c) returned 1 [0068.297] SetErrorMode (uMode=0x1) returned 0x0 [0068.297] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdec32071, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x681f)) returned 1 [0068.297] SetErrorMode (uMode=0x0) returned 0x1 [0068.297] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.298] SetErrorMode (uMode=0x1) returned 0x0 [0068.298] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1035\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.323] SetErrorMode (uMode=0x0) returned 0x1 [0068.323] GetFileType (hFile=0x30c) returned 0x1 [0068.324] CloseHandle (hObject=0x30c) returned 1 [0068.325] SetErrorMode (uMode=0x1) returned 0x0 [0068.325] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdec32071, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdec7e28a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0068.325] SetErrorMode (uMode=0x0) returned 0x1 [0068.326] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0068.326] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0068.326] CoTaskMemFree (pv=0x10bd680) [0068.326] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0068.326] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x4a137c77, Data2=0x64e8, Data3=0x40de, Data4=([0]=0xae, [1]=0x66, [2]=0x96, [3]=0xdd, [4]=0xd7, [5]=0x9c, [6]=0xf2, [7]=0x62))) returned 0x0 [0068.326] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0068.326] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0068.326] CoTaskMemFree (pv=0x10be120) [0068.326] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0068.326] SetErrorMode (uMode=0x1) returned 0x0 [0068.326] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0068.327] SetErrorMode (uMode=0x0) returned 0x1 [0068.327] SetErrorMode (uMode=0x1) returned 0x0 [0068.327] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6)) returned 1 [0068.328] SetErrorMode (uMode=0x0) returned 0x1 [0068.328] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1036\\eula.rtf", lpFilePart=0x0) returned 0x23 [0068.328] SetErrorMode (uMode=0x1) returned 0x0 [0068.328] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.328] SetErrorMode (uMode=0x0) returned 0x1 [0068.328] GetFileType (hFile=0x30c) returned 0x1 [0068.328] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3510, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x10 [0068.332] CloseHandle (hObject=0x30c) returned 1 [0068.332] SetErrorMode (uMode=0x1) returned 0x0 [0068.332] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.332] SetErrorMode (uMode=0x0) returned 0x1 [0068.332] GetFileType (hFile=0x30c) returned 0x1 [0068.332] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xdc6 [0068.335] CloseHandle (hObject=0x30c) returned 1 [0068.335] SetErrorMode (uMode=0x1) returned 0x0 [0068.335] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.336] SetErrorMode (uMode=0x0) returned 0x1 [0068.336] GetFileType (hFile=0x30c) returned 0x1 [0068.336] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x10 [0068.338] CloseHandle (hObject=0x30c) returned 1 [0068.338] SetErrorMode (uMode=0x1) returned 0x0 [0068.338] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdeca4686, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1423)) returned 1 [0068.338] SetErrorMode (uMode=0x0) returned 0x1 [0068.338] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.340] SetErrorMode (uMode=0x1) returned 0x0 [0068.340] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412)) returned 1 [0068.340] SetErrorMode (uMode=0x0) returned 0x1 [0068.340] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.341] SetErrorMode (uMode=0x1) returned 0x0 [0068.341] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.341] SetErrorMode (uMode=0x0) returned 0x1 [0068.341] GetFileType (hFile=0x30c) returned 0x1 [0068.341] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4a13 [0068.354] CloseHandle (hObject=0x30c) returned 1 [0068.354] SetErrorMode (uMode=0x1) returned 0x0 [0068.354] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.354] SetErrorMode (uMode=0x0) returned 0x1 [0068.354] GetFileType (hFile=0x30c) returned 0x1 [0068.354] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x14412 [0068.357] CloseHandle (hObject=0x30c) returned 1 [0068.387] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.387] SetErrorMode (uMode=0x1) returned 0x0 [0068.387] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.387] SetErrorMode (uMode=0x0) returned 0x1 [0068.387] GetFileType (hFile=0x30c) returned 0x1 [0068.387] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4a13 [0068.390] CloseHandle (hObject=0x30c) returned 1 [0068.390] SetErrorMode (uMode=0x1) returned 0x0 [0068.390] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xded16d2d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b6d2)) returned 1 [0068.390] SetErrorMode (uMode=0x0) returned 0x1 [0068.390] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.391] SetErrorMode (uMode=0x1) returned 0x0 [0068.391] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958)) returned 1 [0068.391] SetErrorMode (uMode=0x0) returned 0x1 [0068.391] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1036\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0068.391] SetErrorMode (uMode=0x1) returned 0x0 [0068.391] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.391] SetErrorMode (uMode=0x0) returned 0x1 [0068.391] GetFileType (hFile=0x30c) returned 0x1 [0068.391] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18720, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x38 [0068.411] CloseHandle (hObject=0x30c) returned 1 [0068.411] SetErrorMode (uMode=0x1) returned 0x0 [0068.411] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.411] SetErrorMode (uMode=0x0) returned 0x1 [0068.413] GetFileType (hFile=0x30c) returned 0x1 [0068.413] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4958 [0068.431] CloseHandle (hObject=0x30c) returned 1 [0068.538] SetErrorMode (uMode=0x1) returned 0x0 [0068.538] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.538] SetErrorMode (uMode=0x0) returned 0x1 [0068.538] GetFileType (hFile=0x30c) returned 0x1 [0068.538] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x38 [0068.540] CloseHandle (hObject=0x30c) returned 1 [0068.540] SetErrorMode (uMode=0x1) returned 0x0 [0068.540] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdee94624, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6af7)) returned 1 [0068.540] SetErrorMode (uMode=0x0) returned 0x1 [0068.540] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.541] SetErrorMode (uMode=0x1) returned 0x0 [0068.541] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1036\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.541] SetErrorMode (uMode=0x0) returned 0x1 [0068.541] GetFileType (hFile=0x30c) returned 0x1 [0068.542] CloseHandle (hObject=0x30c) returned 1 [0068.543] SetErrorMode (uMode=0x1) returned 0x0 [0068.543] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdee94624, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdee94624, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0068.543] SetErrorMode (uMode=0x0) returned 0x1 [0068.543] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0068.543] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0068.543] CoTaskMemFree (pv=0x10bd8a0) [0068.543] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0068.543] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x90e72bc9, Data2=0x9dfd, Data3=0x4ce1, Data4=([0]=0xbb, [1]=0xdd, [2]=0xf1, [3]=0x9d, [4]=0xdb, [5]=0x65, [6]=0x49, [7]=0x87))) returned 0x0 [0068.543] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0068.543] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0068.543] CoTaskMemFree (pv=0x10bd680) [0068.543] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0068.543] SetErrorMode (uMode=0x1) returned 0x0 [0068.543] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3bf0 [0068.544] SetErrorMode (uMode=0x0) returned 0x1 [0068.544] SetErrorMode (uMode=0x1) returned 0x0 [0068.544] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3)) returned 1 [0068.544] SetErrorMode (uMode=0x0) returned 0x1 [0068.544] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1037\\eula.rtf", lpFilePart=0x0) returned 0x23 [0068.544] SetErrorMode (uMode=0x1) returned 0x0 [0068.544] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.544] SetErrorMode (uMode=0x0) returned 0x1 [0068.544] GetFileType (hFile=0x30c) returned 0x1 [0068.545] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-6786, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x41 [0068.546] CloseHandle (hObject=0x30c) returned 1 [0068.546] SetErrorMode (uMode=0x1) returned 0x0 [0068.546] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.546] SetErrorMode (uMode=0x0) returned 0x1 [0068.546] GetFileType (hFile=0x30c) returned 0x1 [0068.547] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x1ac3 [0068.549] CloseHandle (hObject=0x30c) returned 1 [0068.550] SetErrorMode (uMode=0x1) returned 0x0 [0068.550] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.550] SetErrorMode (uMode=0x0) returned 0x1 [0068.550] GetFileType (hFile=0x30c) returned 0x1 [0068.550] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x41 [0068.551] CloseHandle (hObject=0x30c) returned 1 [0068.551] SetErrorMode (uMode=0x1) returned 0x0 [0068.551] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdeeba765, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2700)) returned 1 [0068.552] SetErrorMode (uMode=0x0) returned 0x1 [0068.552] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.553] SetErrorMode (uMode=0x1) returned 0x0 [0068.553] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c)) returned 1 [0068.554] SetErrorMode (uMode=0x0) returned 0x1 [0068.555] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.555] SetErrorMode (uMode=0x1) returned 0x0 [0068.555] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.555] SetErrorMode (uMode=0x0) returned 0x1 [0068.555] GetFileType (hFile=0x30c) returned 0x1 [0068.555] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1f8d [0068.557] CloseHandle (hObject=0x30c) returned 1 [0068.557] SetErrorMode (uMode=0x1) returned 0x0 [0068.557] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.558] SetErrorMode (uMode=0x0) returned 0x1 [0068.558] GetFileType (hFile=0x30c) returned 0x1 [0068.558] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x1198c [0068.560] CloseHandle (hObject=0x30c) returned 1 [0068.586] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.586] SetErrorMode (uMode=0x1) returned 0x0 [0068.586] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.586] SetErrorMode (uMode=0x0) returned 0x1 [0068.587] GetFileType (hFile=0x30c) returned 0x1 [0068.587] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x1f8d [0068.589] CloseHandle (hObject=0x30c) returned 1 [0068.590] SetErrorMode (uMode=0x1) returned 0x0 [0068.590] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdef06c44, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x18c4c)) returned 1 [0068.590] SetErrorMode (uMode=0x0) returned 0x1 [0068.590] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.590] SetErrorMode (uMode=0x1) returned 0x0 [0068.591] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158)) returned 1 [0068.591] SetErrorMode (uMode=0x0) returned 0x1 [0068.591] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1037\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0068.591] SetErrorMode (uMode=0x1) returned 0x0 [0068.592] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.592] SetErrorMode (uMode=0x0) returned 0x1 [0068.592] GetFileType (hFile=0x30c) returned 0x1 [0068.592] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-16614, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x72 [0068.593] CloseHandle (hObject=0x30c) returned 1 [0068.593] SetErrorMode (uMode=0x1) returned 0x0 [0068.594] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.594] SetErrorMode (uMode=0x0) returned 0x1 [0068.594] GetFileType (hFile=0x30c) returned 0x1 [0068.594] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4158 [0068.608] CloseHandle (hObject=0x30c) returned 1 [0068.611] SetErrorMode (uMode=0x1) returned 0x0 [0068.611] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.612] SetErrorMode (uMode=0x0) returned 0x1 [0068.612] GetFileType (hFile=0x30c) returned 0x1 [0068.612] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x72 [0068.613] CloseHandle (hObject=0x30c) returned 1 [0068.613] SetErrorMode (uMode=0x1) returned 0x0 [0068.613] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdef53197, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x5f31)) returned 1 [0068.613] SetErrorMode (uMode=0x0) returned 0x1 [0068.613] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.614] SetErrorMode (uMode=0x1) returned 0x0 [0068.614] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1037\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.614] SetErrorMode (uMode=0x0) returned 0x1 [0068.614] GetFileType (hFile=0x30c) returned 0x1 [0068.615] CloseHandle (hObject=0x30c) returned 1 [0068.616] SetErrorMode (uMode=0x1) returned 0x0 [0068.616] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdef53197, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdef53197, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0068.616] SetErrorMode (uMode=0x0) returned 0x1 [0068.616] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0068.616] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0068.616] CoTaskMemFree (pv=0x10bc9c0) [0068.616] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0068.616] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x45f93b8c, Data2=0x5ba2, Data3=0x430a, Data4=([0]=0xae, [1]=0x67, [2]=0x3c, [3]=0xb8, [4]=0xaa, [5]=0xaf, [6]=0xf6, [7]=0x61))) returned 0x0 [0068.616] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0068.616] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0068.616] CoTaskMemFree (pv=0x10bd680) [0068.616] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0068.617] SetErrorMode (uMode=0x1) returned 0x0 [0068.617] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0068.617] SetErrorMode (uMode=0x0) returned 0x1 [0068.617] SetErrorMode (uMode=0x1) returned 0x0 [0068.617] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e)) returned 1 [0068.617] SetErrorMode (uMode=0x0) returned 0x1 [0068.617] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1038\\eula.rtf", lpFilePart=0x0) returned 0x23 [0068.617] SetErrorMode (uMode=0x1) returned 0x0 [0068.617] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.617] SetErrorMode (uMode=0x0) returned 0x1 [0068.618] GetFileType (hFile=0x30c) returned 0x1 [0068.618] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-4212, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2a [0068.625] CloseHandle (hObject=0x30c) returned 1 [0068.625] SetErrorMode (uMode=0x1) returned 0x0 [0068.625] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.625] SetErrorMode (uMode=0x0) returned 0x1 [0068.625] GetFileType (hFile=0x30c) returned 0x1 [0068.625] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x109e [0068.628] CloseHandle (hObject=0x30c) returned 1 [0068.628] SetErrorMode (uMode=0x1) returned 0x0 [0068.628] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.629] SetErrorMode (uMode=0x0) returned 0x1 [0068.629] GetFileType (hFile=0x30c) returned 0x1 [0068.629] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x2a [0068.631] CloseHandle (hObject=0x30c) returned 1 [0068.631] SetErrorMode (uMode=0x1) returned 0x0 [0068.631] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdef7939f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x183d)) returned 1 [0068.631] SetErrorMode (uMode=0x0) returned 0x1 [0068.631] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.634] SetErrorMode (uMode=0x1) returned 0x0 [0068.634] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa)) returned 1 [0068.634] SetErrorMode (uMode=0x0) returned 0x1 [0068.634] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.634] SetErrorMode (uMode=0x1) returned 0x0 [0068.634] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.635] SetErrorMode (uMode=0x0) returned 0x1 [0068.635] GetFileType (hFile=0x30c) returned 0x1 [0068.635] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x57ab [0068.678] CloseHandle (hObject=0x30c) returned 1 [0068.678] SetErrorMode (uMode=0x1) returned 0x0 [0068.678] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.678] SetErrorMode (uMode=0x0) returned 0x1 [0068.678] GetFileType (hFile=0x30c) returned 0x1 [0068.679] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x151aa [0068.681] CloseHandle (hObject=0x30c) returned 1 [0068.699] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.699] SetErrorMode (uMode=0x1) returned 0x0 [0068.699] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.700] SetErrorMode (uMode=0x0) returned 0x1 [0068.700] GetFileType (hFile=0x30c) returned 0x1 [0068.700] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x57ab [0068.702] CloseHandle (hObject=0x30c) returned 1 [0068.703] SetErrorMode (uMode=0x1) returned 0x0 [0068.703] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdf011d6b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1c46a)) returned 1 [0068.703] SetErrorMode (uMode=0x0) returned 0x1 [0068.703] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.703] SetErrorMode (uMode=0x1) returned 0x0 [0068.703] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958)) returned 1 [0068.704] SetErrorMode (uMode=0x0) returned 0x1 [0068.704] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1038\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0068.704] SetErrorMode (uMode=0x1) returned 0x0 [0068.705] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.705] SetErrorMode (uMode=0x0) returned 0x1 [0068.705] GetFileType (hFile=0x30c) returned 0x1 [0068.705] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18720, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x38 [0068.707] CloseHandle (hObject=0x30c) returned 1 [0068.707] SetErrorMode (uMode=0x1) returned 0x0 [0068.707] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.707] SetErrorMode (uMode=0x0) returned 0x1 [0068.707] GetFileType (hFile=0x30c) returned 0x1 [0068.707] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4958 [0068.709] CloseHandle (hObject=0x30c) returned 1 [0068.713] SetErrorMode (uMode=0x1) returned 0x0 [0068.713] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.713] SetErrorMode (uMode=0x0) returned 0x1 [0068.713] GetFileType (hFile=0x30c) returned 0x1 [0068.713] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x38 [0068.714] CloseHandle (hObject=0x30c) returned 1 [0068.715] SetErrorMode (uMode=0x1) returned 0x0 [0068.715] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdf037bf7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6af7)) returned 1 [0068.715] SetErrorMode (uMode=0x0) returned 0x1 [0068.715] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.715] SetErrorMode (uMode=0x1) returned 0x0 [0068.715] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1038\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.716] SetErrorMode (uMode=0x0) returned 0x1 [0068.716] GetFileType (hFile=0x30c) returned 0x1 [0068.717] CloseHandle (hObject=0x30c) returned 1 [0068.717] SetErrorMode (uMode=0x1) returned 0x0 [0068.717] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdf037bf7, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdf037bf7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0068.717] SetErrorMode (uMode=0x0) returned 0x1 [0068.718] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0068.718] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0068.718] CoTaskMemFree (pv=0x10be120) [0068.718] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0068.718] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x532a7342, Data2=0xbbbb, Data3=0x4489, Data4=([0]=0x9e, [1]=0x2f, [2]=0xdd, [3]=0x78, [4]=0x3d, [5]=0x23, [6]=0x29, [7]=0x38))) returned 0x0 [0068.718] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0068.718] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0068.718] CoTaskMemFree (pv=0x10be120) [0068.718] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0068.718] SetErrorMode (uMode=0x1) returned 0x0 [0068.718] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b34d0 [0068.752] SetErrorMode (uMode=0x0) returned 0x1 [0068.752] SetErrorMode (uMode=0x1) returned 0x0 [0068.752] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b)) returned 1 [0068.753] SetErrorMode (uMode=0x0) returned 0x1 [0068.753] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1040\\eula.rtf", lpFilePart=0x0) returned 0x23 [0068.753] SetErrorMode (uMode=0x1) returned 0x0 [0068.753] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.753] SetErrorMode (uMode=0x0) returned 0x1 [0068.753] GetFileType (hFile=0x30c) returned 0x1 [0068.753] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3627, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x10 [0068.755] CloseHandle (hObject=0x30c) returned 1 [0068.759] SetErrorMode (uMode=0x1) returned 0x0 [0068.759] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.759] SetErrorMode (uMode=0x0) returned 0x1 [0068.759] GetFileType (hFile=0x30c) returned 0x1 [0068.759] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xe3b [0068.761] CloseHandle (hObject=0x30c) returned 1 [0068.762] SetErrorMode (uMode=0x1) returned 0x0 [0068.762] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.762] SetErrorMode (uMode=0x0) returned 0x1 [0068.762] GetFileType (hFile=0x30c) returned 0x1 [0068.762] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x10 [0068.764] CloseHandle (hObject=0x30c) returned 1 [0068.764] SetErrorMode (uMode=0x1) returned 0x0 [0068.765] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdf0aa622, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x14cf)) returned 1 [0068.765] SetErrorMode (uMode=0x0) returned 0x1 [0068.765] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.806] SetErrorMode (uMode=0x1) returned 0x0 [0068.808] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc)) returned 1 [0068.835] SetErrorMode (uMode=0x0) returned 0x1 [0068.836] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.836] SetErrorMode (uMode=0x1) returned 0x0 [0068.836] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.836] SetErrorMode (uMode=0x0) returned 0x1 [0068.836] GetFileType (hFile=0x30c) returned 0x1 [0068.836] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3ebd [0068.842] CloseHandle (hObject=0x30c) returned 1 [0068.843] SetErrorMode (uMode=0x1) returned 0x0 [0068.843] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.843] SetErrorMode (uMode=0x0) returned 0x1 [0068.843] GetFileType (hFile=0x30c) returned 0x1 [0068.843] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x138bc [0068.845] CloseHandle (hObject=0x30c) returned 1 [0068.933] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.933] SetErrorMode (uMode=0x1) returned 0x0 [0068.933] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.933] SetErrorMode (uMode=0x0) returned 0x1 [0068.933] GetFileType (hFile=0x30c) returned 0x1 [0068.934] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x3ebd [0068.936] CloseHandle (hObject=0x30c) returned 1 [0068.937] SetErrorMode (uMode=0x1) returned 0x0 [0068.937] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdf24fd1a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1ab7c)) returned 1 [0068.937] SetErrorMode (uMode=0x0) returned 0x1 [0068.937] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.937] SetErrorMode (uMode=0x1) returned 0x0 [0068.937] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758)) returned 1 [0068.938] SetErrorMode (uMode=0x0) returned 0x1 [0068.938] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1040\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0068.938] SetErrorMode (uMode=0x1) returned 0x0 [0068.938] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.939] SetErrorMode (uMode=0x0) returned 0x1 [0068.939] GetFileType (hFile=0x30c) returned 0x1 [0068.939] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18252, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xc [0068.940] CloseHandle (hObject=0x30c) returned 1 [0068.940] SetErrorMode (uMode=0x1) returned 0x0 [0068.940] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.940] SetErrorMode (uMode=0x0) returned 0x1 [0068.941] GetFileType (hFile=0x30c) returned 0x1 [0068.941] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4758 [0068.943] CloseHandle (hObject=0x30c) returned 1 [0068.946] SetErrorMode (uMode=0x1) returned 0x0 [0068.946] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.946] SetErrorMode (uMode=0x0) returned 0x1 [0068.946] GetFileType (hFile=0x30c) returned 0x1 [0068.946] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xc [0068.947] CloseHandle (hObject=0x30c) returned 1 [0068.948] SetErrorMode (uMode=0x1) returned 0x0 [0068.948] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdf27405c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x681f)) returned 1 [0068.948] SetErrorMode (uMode=0x0) returned 0x1 [0068.948] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.948] SetErrorMode (uMode=0x1) returned 0x0 [0068.948] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1040\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.949] SetErrorMode (uMode=0x0) returned 0x1 [0068.949] GetFileType (hFile=0x30c) returned 0x1 [0068.950] CloseHandle (hObject=0x30c) returned 1 [0068.950] SetErrorMode (uMode=0x1) returned 0x0 [0068.950] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdf27405c, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdf27405c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0068.950] SetErrorMode (uMode=0x0) returned 0x1 [0068.950] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0068.950] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0068.951] CoTaskMemFree (pv=0x10bd8a0) [0068.951] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0068.951] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xea1b67e, Data2=0x5d6a, Data3=0x4a4f, Data4=([0]=0x8a, [1]=0x0, [2]=0x58, [3]=0x80, [4]=0xbc, [5]=0x49, [6]=0xc4, [7]=0x5f))) returned 0x0 [0068.951] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0068.951] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0068.951] CoTaskMemFree (pv=0x10be120) [0068.951] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0068.951] SetErrorMode (uMode=0x1) returned 0x0 [0068.951] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0068.951] SetErrorMode (uMode=0x0) returned 0x1 [0068.951] SetErrorMode (uMode=0x1) returned 0x0 [0068.951] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d)) returned 1 [0068.952] SetErrorMode (uMode=0x0) returned 0x1 [0068.952] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1041\\eula.rtf", lpFilePart=0x0) returned 0x23 [0068.952] SetErrorMode (uMode=0x1) returned 0x0 [0068.952] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.952] SetErrorMode (uMode=0x0) returned 0x1 [0068.952] GetFileType (hFile=0x30c) returned 0x1 [0068.952] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-10062, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3f [0068.955] CloseHandle (hObject=0x30c) returned 1 [0068.955] SetErrorMode (uMode=0x1) returned 0x0 [0068.955] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0068.955] SetErrorMode (uMode=0x0) returned 0x1 [0068.955] GetFileType (hFile=0x30c) returned 0x1 [0068.955] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x278d [0068.957] CloseHandle (hObject=0x30c) returned 1 [0068.959] SetErrorMode (uMode=0x1) returned 0x0 [0068.959] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0068.959] SetErrorMode (uMode=0x0) returned 0x1 [0068.959] GetFileType (hFile=0x30c) returned 0x1 [0068.959] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x3f [0068.960] CloseHandle (hObject=0x30c) returned 1 [0068.960] SetErrorMode (uMode=0x1) returned 0x0 [0068.960] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdf29a227, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x39aa)) returned 1 [0068.961] SetErrorMode (uMode=0x0) returned 0x1 [0068.961] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0068.969] SetErrorMode (uMode=0x1) returned 0x0 [0068.969] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82)) returned 1 [0068.969] SetErrorMode (uMode=0x0) returned 0x1 [0068.969] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0068.969] SetErrorMode (uMode=0x1) returned 0x0 [0069.021] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.022] SetErrorMode (uMode=0x0) returned 0x1 [0069.022] GetFileType (hFile=0x30c) returned 0x1 [0069.022] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1083 [0069.026] CloseHandle (hObject=0x30c) returned 1 [0069.026] SetErrorMode (uMode=0x1) returned 0x0 [0069.026] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.027] SetErrorMode (uMode=0x0) returned 0x1 [0069.027] GetFileType (hFile=0x30c) returned 0x1 [0069.027] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x10a82 [0069.029] CloseHandle (hObject=0x30c) returned 1 [0069.061] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.061] SetErrorMode (uMode=0x1) returned 0x0 [0069.061] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.061] SetErrorMode (uMode=0x0) returned 0x1 [0069.061] GetFileType (hFile=0x30c) returned 0x1 [0069.061] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x1083 [0069.136] CloseHandle (hObject=0x30c) returned 1 [0069.136] SetErrorMode (uMode=0x1) returned 0x0 [0069.136] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdf43dc4c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x17d42)) returned 1 [0069.136] SetErrorMode (uMode=0x0) returned 0x1 [0069.136] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.137] SetErrorMode (uMode=0x1) returned 0x0 [0069.137] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58)) returned 1 [0069.137] SetErrorMode (uMode=0x0) returned 0x1 [0069.137] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1041\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0069.137] SetErrorMode (uMode=0x1) returned 0x0 [0069.137] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.137] SetErrorMode (uMode=0x0) returned 0x1 [0069.137] GetFileType (hFile=0x30c) returned 0x1 [0069.137] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-15678, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1a [0069.206] CloseHandle (hObject=0x30c) returned 1 [0069.206] SetErrorMode (uMode=0x1) returned 0x0 [0069.206] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.207] SetErrorMode (uMode=0x0) returned 0x1 [0069.207] GetFileType (hFile=0x30c) returned 0x1 [0069.207] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x3d58 [0069.209] CloseHandle (hObject=0x30c) returned 1 [0069.212] SetErrorMode (uMode=0x1) returned 0x0 [0069.212] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.212] SetErrorMode (uMode=0x0) returned 0x1 [0069.212] GetFileType (hFile=0x30c) returned 0x1 [0069.212] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x1a [0069.213] CloseHandle (hObject=0x30c) returned 1 [0069.213] SetErrorMode (uMode=0x1) returned 0x0 [0069.213] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdf4fca1a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x5985)) returned 1 [0069.213] SetErrorMode (uMode=0x0) returned 0x1 [0069.214] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.214] SetErrorMode (uMode=0x1) returned 0x0 [0069.214] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1041\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.214] SetErrorMode (uMode=0x0) returned 0x1 [0069.214] GetFileType (hFile=0x30c) returned 0x1 [0069.215] CloseHandle (hObject=0x30c) returned 1 [0069.216] SetErrorMode (uMode=0x1) returned 0x0 [0069.216] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdf4fca1a, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdf4fca1a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2db0 [0069.216] SetErrorMode (uMode=0x0) returned 0x1 [0069.216] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0069.216] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0069.216] CoTaskMemFree (pv=0x10bd680) [0069.216] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0069.216] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x93804a5e, Data2=0x66f8, Data3=0x4fc2, Data4=([0]=0xa1, [1]=0x86, [2]=0x14, [3]=0x63, [4]=0xcd, [5]=0xd5, [6]=0x83, [7]=0x9e))) returned 0x0 [0069.217] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0069.217] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0069.217] CoTaskMemFree (pv=0x10be120) [0069.217] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0069.217] SetErrorMode (uMode=0x1) returned 0x0 [0069.217] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3350 [0069.217] SetErrorMode (uMode=0x0) returned 0x1 [0069.217] SetErrorMode (uMode=0x1) returned 0x0 [0069.217] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f)) returned 1 [0069.217] SetErrorMode (uMode=0x0) returned 0x1 [0069.217] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1042\\eula.rtf", lpFilePart=0x0) returned 0x23 [0069.217] SetErrorMode (uMode=0x1) returned 0x0 [0069.217] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.218] SetErrorMode (uMode=0x0) returned 0x1 [0069.218] GetFileType (hFile=0x30c) returned 0x1 [0069.218] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-12636, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x33 [0069.240] CloseHandle (hObject=0x30c) returned 1 [0069.240] SetErrorMode (uMode=0x1) returned 0x0 [0069.240] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.240] SetErrorMode (uMode=0x0) returned 0x1 [0069.240] GetFileType (hFile=0x30c) returned 0x1 [0069.240] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x318f [0069.242] CloseHandle (hObject=0x30c) returned 1 [0069.244] SetErrorMode (uMode=0x1) returned 0x0 [0069.244] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.245] SetErrorMode (uMode=0x0) returned 0x1 [0069.245] GetFileType (hFile=0x30c) returned 0x1 [0069.245] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x33 [0069.246] CloseHandle (hObject=0x30c) returned 1 [0069.246] SetErrorMode (uMode=0x1) returned 0x0 [0069.246] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdf548f3b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x4846)) returned 1 [0069.246] SetErrorMode (uMode=0x0) returned 0x1 [0069.246] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.267] SetErrorMode (uMode=0x1) returned 0x0 [0069.267] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6)) returned 1 [0069.268] SetErrorMode (uMode=0x0) returned 0x1 [0069.268] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.268] SetErrorMode (uMode=0x1) returned 0x0 [0069.268] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.268] SetErrorMode (uMode=0x0) returned 0x1 [0069.268] GetFileType (hFile=0x30c) returned 0x1 [0069.268] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-65169, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x45 [0069.278] CloseHandle (hObject=0x30c) returned 1 [0069.278] SetErrorMode (uMode=0x1) returned 0x0 [0069.278] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.279] SetErrorMode (uMode=0x0) returned 0x1 [0069.279] GetFileType (hFile=0x30c) returned 0x1 [0069.279] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xfed6 [0069.281] CloseHandle (hObject=0x30c) returned 1 [0069.297] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.297] SetErrorMode (uMode=0x1) returned 0x0 [0069.297] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.298] SetErrorMode (uMode=0x0) returned 0x1 [0069.298] GetFileType (hFile=0x30c) returned 0x1 [0069.298] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x45 [0069.301] CloseHandle (hObject=0x30c) returned 1 [0069.301] SetErrorMode (uMode=0x1) returned 0x0 [0069.301] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdf5e177a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x173b0)) returned 1 [0069.301] SetErrorMode (uMode=0x0) returned 0x1 [0069.301] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.301] SetErrorMode (uMode=0x1) returned 0x0 [0069.302] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58)) returned 1 [0069.302] SetErrorMode (uMode=0x0) returned 0x1 [0069.302] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1042\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0069.302] SetErrorMode (uMode=0x1) returned 0x0 [0069.302] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.302] SetErrorMode (uMode=0x0) returned 0x1 [0069.302] GetFileType (hFile=0x30c) returned 0x1 [0069.302] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-15093, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x63 [0069.326] CloseHandle (hObject=0x30c) returned 1 [0069.326] SetErrorMode (uMode=0x1) returned 0x0 [0069.326] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.327] SetErrorMode (uMode=0x0) returned 0x1 [0069.327] GetFileType (hFile=0x30c) returned 0x1 [0069.327] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x3b58 [0069.329] CloseHandle (hObject=0x30c) returned 1 [0069.332] SetErrorMode (uMode=0x1) returned 0x0 [0069.332] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.332] SetErrorMode (uMode=0x0) returned 0x1 [0069.332] GetFileType (hFile=0x30c) returned 0x1 [0069.332] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x63 [0069.333] CloseHandle (hObject=0x30c) returned 1 [0069.334] SetErrorMode (uMode=0x1) returned 0x0 [0069.334] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdf62dd01, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x5676)) returned 1 [0069.334] SetErrorMode (uMode=0x0) returned 0x1 [0069.334] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.334] SetErrorMode (uMode=0x1) returned 0x0 [0069.334] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1042\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.337] SetErrorMode (uMode=0x0) returned 0x1 [0069.337] GetFileType (hFile=0x30c) returned 0x1 [0069.338] CloseHandle (hObject=0x30c) returned 1 [0069.338] SetErrorMode (uMode=0x1) returned 0x0 [0069.338] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdf62dd01, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdf62dd01, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3470 [0069.338] SetErrorMode (uMode=0x0) returned 0x1 [0069.338] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0069.339] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0069.339] CoTaskMemFree (pv=0x10bd680) [0069.339] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0069.339] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x22d06897, Data2=0xcbc6, Data3=0x4140, Data4=([0]=0xb5, [1]=0xc1, [2]=0xd7, [3]=0x43, [4]=0x27, [5]=0xa3, [6]=0xcb, [7]=0x5e))) returned 0x0 [0069.339] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0069.339] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0069.339] CoTaskMemFree (pv=0x10bc9c0) [0069.339] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0069.339] SetErrorMode (uMode=0x1) returned 0x0 [0069.339] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2ed0 [0069.339] SetErrorMode (uMode=0x0) returned 0x1 [0069.339] SetErrorMode (uMode=0x1) returned 0x0 [0069.339] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda)) returned 1 [0069.341] SetErrorMode (uMode=0x0) returned 0x1 [0069.341] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1043\\eula.rtf", lpFilePart=0x0) returned 0x23 [0069.341] SetErrorMode (uMode=0x1) returned 0x0 [0069.341] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.341] SetErrorMode (uMode=0x0) returned 0x1 [0069.341] GetFileType (hFile=0x30c) returned 0x1 [0069.341] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3510, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x24 [0069.345] CloseHandle (hObject=0x30c) returned 1 [0069.345] SetErrorMode (uMode=0x1) returned 0x0 [0069.345] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.345] SetErrorMode (uMode=0x0) returned 0x1 [0069.345] GetFileType (hFile=0x30c) returned 0x1 [0069.345] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xdda [0069.347] CloseHandle (hObject=0x30c) returned 1 [0069.348] SetErrorMode (uMode=0x1) returned 0x0 [0069.348] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.348] SetErrorMode (uMode=0x0) returned 0x1 [0069.348] GetFileType (hFile=0x30c) returned 0x1 [0069.348] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x24 [0069.349] CloseHandle (hObject=0x30c) returned 1 [0069.349] SetErrorMode (uMode=0x1) returned 0x0 [0069.349] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdf653f45, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1437)) returned 1 [0069.349] SetErrorMode (uMode=0x0) returned 0x1 [0069.349] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.352] SetErrorMode (uMode=0x1) returned 0x0 [0069.352] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712)) returned 1 [0069.352] SetErrorMode (uMode=0x0) returned 0x1 [0069.352] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.352] SetErrorMode (uMode=0x1) returned 0x0 [0069.352] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.352] SetErrorMode (uMode=0x0) returned 0x1 [0069.352] GetFileType (hFile=0x30c) returned 0x1 [0069.352] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3d13 [0069.354] CloseHandle (hObject=0x30c) returned 1 [0069.355] SetErrorMode (uMode=0x1) returned 0x0 [0069.355] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.355] SetErrorMode (uMode=0x0) returned 0x1 [0069.355] GetFileType (hFile=0x30c) returned 0x1 [0069.355] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x13712 [0069.357] CloseHandle (hObject=0x30c) returned 1 [0069.375] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.375] SetErrorMode (uMode=0x1) returned 0x0 [0069.375] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.375] SetErrorMode (uMode=0x0) returned 0x1 [0069.375] GetFileType (hFile=0x30c) returned 0x1 [0069.375] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x3d13 [0069.418] CloseHandle (hObject=0x30c) returned 1 [0069.418] SetErrorMode (uMode=0x1) returned 0x0 [0069.418] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdf6ec72c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1a9d2)) returned 1 [0069.418] SetErrorMode (uMode=0x0) returned 0x1 [0069.418] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.419] SetErrorMode (uMode=0x1) returned 0x0 [0069.419] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58)) returned 1 [0069.419] SetErrorMode (uMode=0x0) returned 0x1 [0069.419] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1043\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0069.419] SetErrorMode (uMode=0x1) returned 0x0 [0069.419] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.419] SetErrorMode (uMode=0x0) returned 0x1 [0069.419] GetFileType (hFile=0x30c) returned 0x1 [0069.419] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-19188, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x64 [0069.421] CloseHandle (hObject=0x30c) returned 1 [0069.421] SetErrorMode (uMode=0x1) returned 0x0 [0069.421] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.421] SetErrorMode (uMode=0x0) returned 0x1 [0069.421] GetFileType (hFile=0x30c) returned 0x1 [0069.421] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4b58 [0069.423] CloseHandle (hObject=0x30c) returned 1 [0069.428] SetErrorMode (uMode=0x1) returned 0x0 [0069.428] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.429] SetErrorMode (uMode=0x0) returned 0x1 [0069.429] GetFileType (hFile=0x30c) returned 0x1 [0069.429] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x64 [0069.430] CloseHandle (hObject=0x30c) returned 1 [0069.430] SetErrorMode (uMode=0x1) returned 0x0 [0069.430] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdf7128d1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6dcf)) returned 1 [0069.430] SetErrorMode (uMode=0x0) returned 0x1 [0069.430] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.431] SetErrorMode (uMode=0x1) returned 0x0 [0069.431] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1043\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.431] SetErrorMode (uMode=0x0) returned 0x1 [0069.431] GetFileType (hFile=0x30c) returned 0x1 [0069.432] CloseHandle (hObject=0x30c) returned 1 [0069.433] SetErrorMode (uMode=0x1) returned 0x0 [0069.433] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdf7128d1, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdf7128d1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0069.433] SetErrorMode (uMode=0x0) returned 0x1 [0069.433] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0069.433] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0069.433] CoTaskMemFree (pv=0x10bd680) [0069.433] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0069.433] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x69c414bf, Data2=0x192f, Data3=0x434b, Data4=([0]=0xa2, [1]=0x35, [2]=0x9f, [3]=0xd2, [4]=0x3b, [5]=0x9e, [6]=0xcf, [7]=0xba))) returned 0x0 [0069.433] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0069.433] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0069.433] CoTaskMemFree (pv=0x10bd680) [0069.433] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0069.433] SetErrorMode (uMode=0x1) returned 0x0 [0069.434] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3bf0 [0069.434] SetErrorMode (uMode=0x0) returned 0x1 [0069.434] SetErrorMode (uMode=0x1) returned 0x0 [0069.434] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6)) returned 1 [0069.435] SetErrorMode (uMode=0x0) returned 0x1 [0069.435] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1044\\eula.rtf", lpFilePart=0x0) returned 0x23 [0069.435] SetErrorMode (uMode=0x1) returned 0x0 [0069.435] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.435] SetErrorMode (uMode=0x0) returned 0x1 [0069.435] GetFileType (hFile=0x30c) returned 0x1 [0069.435] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3042, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4 [0069.436] CloseHandle (hObject=0x30c) returned 1 [0069.437] SetErrorMode (uMode=0x1) returned 0x0 [0069.437] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.437] SetErrorMode (uMode=0x0) returned 0x1 [0069.437] GetFileType (hFile=0x30c) returned 0x1 [0069.437] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xbe6 [0069.439] CloseHandle (hObject=0x30c) returned 1 [0069.440] SetErrorMode (uMode=0x1) returned 0x0 [0069.440] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.440] SetErrorMode (uMode=0x0) returned 0x1 [0069.440] GetFileType (hFile=0x30c) returned 0x1 [0069.440] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4 [0069.441] CloseHandle (hObject=0x30c) returned 1 [0069.441] SetErrorMode (uMode=0x1) returned 0x0 [0069.441] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdf738ddb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x116f)) returned 1 [0069.441] SetErrorMode (uMode=0x0) returned 0x1 [0069.441] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.443] SetErrorMode (uMode=0x1) returned 0x0 [0069.443] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0)) returned 1 [0069.443] SetErrorMode (uMode=0x0) returned 0x1 [0069.443] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.443] SetErrorMode (uMode=0x1) returned 0x0 [0069.443] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.444] SetErrorMode (uMode=0x0) returned 0x1 [0069.444] GetFileType (hFile=0x30c) returned 0x1 [0069.444] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3bc1 [0069.445] CloseHandle (hObject=0x30c) returned 1 [0069.445] SetErrorMode (uMode=0x1) returned 0x0 [0069.446] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.446] SetErrorMode (uMode=0x0) returned 0x1 [0069.446] GetFileType (hFile=0x30c) returned 0x1 [0069.446] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x135c0 [0069.448] CloseHandle (hObject=0x30c) returned 1 [0069.547] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.548] SetErrorMode (uMode=0x1) returned 0x0 [0069.548] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.548] SetErrorMode (uMode=0x0) returned 0x1 [0069.548] GetFileType (hFile=0x30c) returned 0x1 [0069.548] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x3bc1 [0069.551] CloseHandle (hObject=0x30c) returned 1 [0069.551] SetErrorMode (uMode=0x1) returned 0x0 [0069.551] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdf843d1e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1a880)) returned 1 [0069.551] SetErrorMode (uMode=0x0) returned 0x1 [0069.551] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.552] SetErrorMode (uMode=0x1) returned 0x0 [0069.552] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558)) returned 1 [0069.552] SetErrorMode (uMode=0x0) returned 0x1 [0069.552] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1044\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0069.553] SetErrorMode (uMode=0x1) returned 0x0 [0069.553] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.553] SetErrorMode (uMode=0x0) returned 0x1 [0069.553] GetFileType (hFile=0x30c) returned 0x1 [0069.553] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-17667, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x55 [0069.554] CloseHandle (hObject=0x30c) returned 1 [0069.555] SetErrorMode (uMode=0x1) returned 0x0 [0069.555] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.555] SetErrorMode (uMode=0x0) returned 0x1 [0069.555] GetFileType (hFile=0x30c) returned 0x1 [0069.555] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4558 [0069.557] CloseHandle (hObject=0x30c) returned 1 [0069.560] SetErrorMode (uMode=0x1) returned 0x0 [0069.560] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.560] SetErrorMode (uMode=0x0) returned 0x1 [0069.560] GetFileType (hFile=0x30c) returned 0x1 [0069.560] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x55 [0069.561] CloseHandle (hObject=0x30c) returned 1 [0069.562] SetErrorMode (uMode=0x1) returned 0x0 [0069.562] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdf843d1e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6514)) returned 1 [0069.562] SetErrorMode (uMode=0x0) returned 0x1 [0069.562] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.562] SetErrorMode (uMode=0x1) returned 0x0 [0069.562] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1044\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.563] SetErrorMode (uMode=0x0) returned 0x1 [0069.563] GetFileType (hFile=0x30c) returned 0x1 [0069.564] CloseHandle (hObject=0x30c) returned 1 [0069.564] SetErrorMode (uMode=0x1) returned 0x0 [0069.564] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdf843d1e, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdf843d1e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0069.565] SetErrorMode (uMode=0x0) returned 0x1 [0069.565] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0069.565] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0069.565] CoTaskMemFree (pv=0x10bd8a0) [0069.565] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0069.565] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xaa6906f7, Data2=0xa012, Data3=0x4e9e, Data4=([0]=0xbe, [1]=0xef, [2]=0xdf, [3]=0xde, [4]=0xe6, [5]=0x3b, [6]=0x4b, [7]=0x2))) returned 0x0 [0069.565] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0069.565] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0069.565] CoTaskMemFree (pv=0x10be120) [0069.565] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0069.565] SetErrorMode (uMode=0x1) returned 0x0 [0069.565] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0069.566] SetErrorMode (uMode=0x0) returned 0x1 [0069.566] SetErrorMode (uMode=0x1) returned 0x0 [0069.566] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8)) returned 1 [0069.566] SetErrorMode (uMode=0x0) returned 0x1 [0069.566] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1045\\eula.rtf", lpFilePart=0x0) returned 0x23 [0069.567] SetErrorMode (uMode=0x1) returned 0x0 [0069.567] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.567] SetErrorMode (uMode=0x0) returned 0x1 [0069.567] GetFileType (hFile=0x30c) returned 0x1 [0069.567] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3978, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3e [0069.612] CloseHandle (hObject=0x30c) returned 1 [0069.612] SetErrorMode (uMode=0x1) returned 0x0 [0069.612] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.612] SetErrorMode (uMode=0x0) returned 0x1 [0069.612] GetFileType (hFile=0x30c) returned 0x1 [0069.612] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xfc8 [0069.614] CloseHandle (hObject=0x30c) returned 1 [0069.615] SetErrorMode (uMode=0x1) returned 0x0 [0069.615] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.615] SetErrorMode (uMode=0x0) returned 0x1 [0069.615] GetFileType (hFile=0x30c) returned 0x1 [0069.615] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x3e [0069.616] CloseHandle (hObject=0x30c) returned 1 [0069.616] SetErrorMode (uMode=0x1) returned 0x0 [0069.616] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdf8dc622, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x16fd)) returned 1 [0069.616] SetErrorMode (uMode=0x0) returned 0x1 [0069.617] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.619] SetErrorMode (uMode=0x1) returned 0x0 [0069.619] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6)) returned 1 [0069.619] SetErrorMode (uMode=0x0) returned 0x1 [0069.619] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.619] SetErrorMode (uMode=0x1) returned 0x0 [0069.619] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.620] SetErrorMode (uMode=0x0) returned 0x1 [0069.620] GetFileType (hFile=0x30c) returned 0x1 [0069.620] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x47c7 [0069.622] CloseHandle (hObject=0x30c) returned 1 [0069.622] SetErrorMode (uMode=0x1) returned 0x0 [0069.622] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.622] SetErrorMode (uMode=0x0) returned 0x1 [0069.622] GetFileType (hFile=0x30c) returned 0x1 [0069.622] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x141c6 [0069.624] CloseHandle (hObject=0x30c) returned 1 [0069.645] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.645] SetErrorMode (uMode=0x1) returned 0x0 [0069.645] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.645] SetErrorMode (uMode=0x0) returned 0x1 [0069.645] GetFileType (hFile=0x30c) returned 0x1 [0069.645] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x47c7 [0069.648] CloseHandle (hObject=0x30c) returned 1 [0069.648] SetErrorMode (uMode=0x1) returned 0x0 [0069.648] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdf928c2d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b486)) returned 1 [0069.648] SetErrorMode (uMode=0x0) returned 0x1 [0069.648] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.649] SetErrorMode (uMode=0x1) returned 0x0 [0069.649] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758)) returned 1 [0069.649] SetErrorMode (uMode=0x0) returned 0x1 [0069.649] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1045\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0069.649] SetErrorMode (uMode=0x1) returned 0x0 [0069.649] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.649] SetErrorMode (uMode=0x0) returned 0x1 [0069.649] GetFileType (hFile=0x30c) returned 0x1 [0069.649] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18252, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xc [0069.692] CloseHandle (hObject=0x30c) returned 1 [0069.693] SetErrorMode (uMode=0x1) returned 0x0 [0069.693] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.693] SetErrorMode (uMode=0x0) returned 0x1 [0069.693] GetFileType (hFile=0x30c) returned 0x1 [0069.693] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4758 [0069.698] CloseHandle (hObject=0x30c) returned 1 [0069.702] SetErrorMode (uMode=0x1) returned 0x0 [0069.702] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.702] SetErrorMode (uMode=0x0) returned 0x1 [0069.702] GetFileType (hFile=0x30c) returned 0x1 [0069.702] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xc [0069.703] CloseHandle (hObject=0x30c) returned 1 [0069.703] SetErrorMode (uMode=0x1) returned 0x0 [0069.703] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdf99b35b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x681f)) returned 1 [0069.703] SetErrorMode (uMode=0x0) returned 0x1 [0069.703] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.705] SetErrorMode (uMode=0x1) returned 0x0 [0069.705] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1045\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.705] SetErrorMode (uMode=0x0) returned 0x1 [0069.705] GetFileType (hFile=0x30c) returned 0x1 [0069.706] CloseHandle (hObject=0x30c) returned 1 [0069.706] SetErrorMode (uMode=0x1) returned 0x0 [0069.706] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdf99b35b, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdf9c16c9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2db0 [0069.707] SetErrorMode (uMode=0x0) returned 0x1 [0069.707] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0069.707] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0069.707] CoTaskMemFree (pv=0x10be120) [0069.707] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0069.707] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x172c8814, Data2=0xaad8, Data3=0x4bf9, Data4=([0]=0x89, [1]=0x32, [2]=0x1c, [3]=0x33, [4]=0x20, [5]=0x6a, [6]=0xad, [7]=0xfd))) returned 0x0 [0069.707] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0069.707] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0069.707] CoTaskMemFree (pv=0x10bd680) [0069.707] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0069.707] SetErrorMode (uMode=0x1) returned 0x0 [0069.707] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0069.708] SetErrorMode (uMode=0x0) returned 0x1 [0069.708] SetErrorMode (uMode=0x1) returned 0x0 [0069.708] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63)) returned 1 [0069.708] SetErrorMode (uMode=0x0) returned 0x1 [0069.708] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1046\\eula.rtf", lpFilePart=0x0) returned 0x23 [0069.709] SetErrorMode (uMode=0x1) returned 0x0 [0069.709] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.709] SetErrorMode (uMode=0x0) returned 0x1 [0069.709] GetFileType (hFile=0x30c) returned 0x1 [0069.709] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3627, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x38 [0069.710] CloseHandle (hObject=0x30c) returned 1 [0069.710] SetErrorMode (uMode=0x1) returned 0x0 [0069.710] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.711] SetErrorMode (uMode=0x0) returned 0x1 [0069.711] GetFileType (hFile=0x30c) returned 0x1 [0069.711] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xe63 [0069.713] CloseHandle (hObject=0x30c) returned 1 [0069.716] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1046\\eula.rtf", lpFilePart=0x0) returned 0x23 [0069.716] SetErrorMode (uMode=0x1) returned 0x0 [0069.716] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.716] SetErrorMode (uMode=0x0) returned 0x1 [0069.716] GetFileType (hFile=0x30c) returned 0x1 [0069.716] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x38 [0069.718] CloseHandle (hObject=0x30c) returned 1 [0069.718] SetErrorMode (uMode=0x1) returned 0x0 [0069.718] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdf9c16c9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x14f7)) returned 1 [0069.718] SetErrorMode (uMode=0x0) returned 0x1 [0069.718] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.721] SetErrorMode (uMode=0x1) returned 0x0 [0069.721] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62)) returned 1 [0069.721] SetErrorMode (uMode=0x0) returned 0x1 [0069.721] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.721] SetErrorMode (uMode=0x1) returned 0x0 [0069.721] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.721] SetErrorMode (uMode=0x0) returned 0x1 [0069.721] GetFileType (hFile=0x30c) returned 0x1 [0069.721] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4163 [0069.724] CloseHandle (hObject=0x30c) returned 1 [0069.724] SetErrorMode (uMode=0x1) returned 0x0 [0069.724] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.724] SetErrorMode (uMode=0x0) returned 0x1 [0069.724] GetFileType (hFile=0x30c) returned 0x1 [0069.724] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x13b62 [0069.727] CloseHandle (hObject=0x30c) returned 1 [0069.780] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.780] SetErrorMode (uMode=0x1) returned 0x0 [0069.780] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.780] SetErrorMode (uMode=0x0) returned 0x1 [0069.780] GetFileType (hFile=0x30c) returned 0x1 [0069.780] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4163 [0069.783] CloseHandle (hObject=0x30c) returned 1 [0069.783] SetErrorMode (uMode=0x1) returned 0x0 [0069.783] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdfa801b0, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1ae22)) returned 1 [0069.783] SetErrorMode (uMode=0x0) returned 0x1 [0069.783] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.784] SetErrorMode (uMode=0x1) returned 0x0 [0069.784] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758)) returned 1 [0069.784] SetErrorMode (uMode=0x0) returned 0x1 [0069.784] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1046\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0069.784] SetErrorMode (uMode=0x1) returned 0x0 [0069.784] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.784] SetErrorMode (uMode=0x0) returned 0x1 [0069.784] GetFileType (hFile=0x30c) returned 0x1 [0069.784] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18252, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xc [0069.822] CloseHandle (hObject=0x30c) returned 1 [0069.822] SetErrorMode (uMode=0x1) returned 0x0 [0069.822] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.822] SetErrorMode (uMode=0x0) returned 0x1 [0069.823] GetFileType (hFile=0x30c) returned 0x1 [0069.823] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4758 [0069.825] CloseHandle (hObject=0x30c) returned 1 [0069.828] SetErrorMode (uMode=0x1) returned 0x0 [0069.828] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.828] SetErrorMode (uMode=0x0) returned 0x1 [0069.828] GetFileType (hFile=0x30c) returned 0x1 [0069.828] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xc [0069.830] CloseHandle (hObject=0x30c) returned 1 [0069.830] SetErrorMode (uMode=0x1) returned 0x0 [0069.830] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdfaf2878, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x681f)) returned 1 [0069.830] SetErrorMode (uMode=0x0) returned 0x1 [0069.830] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.831] SetErrorMode (uMode=0x1) returned 0x0 [0069.831] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1046\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.832] SetErrorMode (uMode=0x0) returned 0x1 [0069.832] GetFileType (hFile=0x30c) returned 0x1 [0069.833] CloseHandle (hObject=0x30c) returned 1 [0069.834] SetErrorMode (uMode=0x1) returned 0x0 [0069.834] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdfaf2878, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdfaf2878, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b34d0 [0069.834] SetErrorMode (uMode=0x0) returned 0x1 [0069.834] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0069.834] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0069.834] CoTaskMemFree (pv=0x10bc9c0) [0069.834] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0069.834] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x65c5d4b, Data2=0x8853, Data3=0x44f6, Data4=([0]=0xa6, [1]=0x7a, [2]=0xc4, [3]=0x8, [4]=0xd6, [5]=0x92, [6]=0xb0, [7]=0x84))) returned 0x0 [0069.834] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0069.834] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0069.835] CoTaskMemFree (pv=0x10bc9c0) [0069.835] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0069.835] SetErrorMode (uMode=0x1) returned 0x0 [0069.835] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b33b0 [0069.835] SetErrorMode (uMode=0x0) returned 0x1 [0069.835] SetErrorMode (uMode=0x1) returned 0x0 [0069.835] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8)) returned 1 [0069.836] SetErrorMode (uMode=0x0) returned 0x1 [0069.836] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1049\\eula.rtf", lpFilePart=0x0) returned 0x23 [0069.836] SetErrorMode (uMode=0x1) returned 0x0 [0069.836] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.836] SetErrorMode (uMode=0x0) returned 0x1 [0069.836] GetFileType (hFile=0x30c) returned 0x1 [0069.837] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-54405, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x33 [0069.839] CloseHandle (hObject=0x30c) returned 1 [0069.839] SetErrorMode (uMode=0x1) returned 0x0 [0069.839] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.839] SetErrorMode (uMode=0x0) returned 0x1 [0069.839] GetFileType (hFile=0x30c) returned 0x1 [0069.839] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xd4b8 [0069.841] CloseHandle (hObject=0x30c) returned 1 [0069.856] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1049\\eula.rtf", lpFilePart=0x0) returned 0x23 [0069.856] SetErrorMode (uMode=0x1) returned 0x0 [0069.856] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.856] SetErrorMode (uMode=0x0) returned 0x1 [0069.856] GetFileType (hFile=0x30c) returned 0x1 [0069.856] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x33 [0069.859] CloseHandle (hObject=0x30c) returned 1 [0069.859] SetErrorMode (uMode=0x1) returned 0x0 [0069.859] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdfb18992, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x13646)) returned 1 [0069.859] SetErrorMode (uMode=0x0) returned 0x1 [0069.859] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.909] SetErrorMode (uMode=0x1) returned 0x0 [0069.909] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a)) returned 1 [0069.909] SetErrorMode (uMode=0x0) returned 0x1 [0069.909] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0069.909] SetErrorMode (uMode=0x1) returned 0x0 [0069.909] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.909] SetErrorMode (uMode=0x0) returned 0x1 [0069.909] GetFileType (hFile=0x30c) returned 0x1 [0069.909] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x444b [0069.913] CloseHandle (hObject=0x30c) returned 1 [0069.913] SetErrorMode (uMode=0x1) returned 0x0 [0069.913] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.914] SetErrorMode (uMode=0x0) returned 0x1 [0069.914] GetFileType (hFile=0x30c) returned 0x1 [0069.914] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x13e4a [0069.916] CloseHandle (hObject=0x30c) returned 1 [0069.946] SetErrorMode (uMode=0x1) returned 0x0 [0069.946] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0069.946] SetErrorMode (uMode=0x0) returned 0x1 [0069.946] GetFileType (hFile=0x30c) returned 0x1 [0069.946] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x444b [0069.949] CloseHandle (hObject=0x30c) returned 1 [0069.949] SetErrorMode (uMode=0x1) returned 0x0 [0069.949] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdfbfd6fa, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b10a)) returned 1 [0069.949] SetErrorMode (uMode=0x0) returned 0x1 [0069.949] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0069.950] SetErrorMode (uMode=0x1) returned 0x0 [0069.950] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758)) returned 1 [0069.950] SetErrorMode (uMode=0x0) returned 0x1 [0069.950] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1049\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0069.950] SetErrorMode (uMode=0x1) returned 0x0 [0069.950] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0069.950] SetErrorMode (uMode=0x0) returned 0x1 [0069.950] GetFileType (hFile=0x30c) returned 0x1 [0069.950] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18252, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xc [0070.021] CloseHandle (hObject=0x30c) returned 1 [0070.021] SetErrorMode (uMode=0x1) returned 0x0 [0070.021] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.021] SetErrorMode (uMode=0x0) returned 0x1 [0070.022] GetFileType (hFile=0x30c) returned 0x1 [0070.022] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4758 [0070.024] CloseHandle (hObject=0x30c) returned 1 [0070.027] SetErrorMode (uMode=0x1) returned 0x0 [0070.027] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.027] SetErrorMode (uMode=0x0) returned 0x1 [0070.027] GetFileType (hFile=0x30c) returned 0x1 [0070.027] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xc [0070.030] CloseHandle (hObject=0x30c) returned 1 [0070.030] SetErrorMode (uMode=0x1) returned 0x0 [0070.030] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdfcbd9bc, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x681f)) returned 1 [0070.030] SetErrorMode (uMode=0x0) returned 0x1 [0070.030] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.030] SetErrorMode (uMode=0x1) returned 0x0 [0070.030] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1049\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.031] SetErrorMode (uMode=0x0) returned 0x1 [0070.031] GetFileType (hFile=0x30c) returned 0x1 [0070.032] CloseHandle (hObject=0x30c) returned 1 [0070.032] SetErrorMode (uMode=0x1) returned 0x0 [0070.032] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdfcbd9bc, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdfcbd9bc, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0070.032] SetErrorMode (uMode=0x0) returned 0x1 [0070.032] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0070.032] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0070.032] CoTaskMemFree (pv=0x10bd8a0) [0070.033] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0070.033] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x50f0638c, Data2=0x9ebd, Data3=0x4e75, Data4=([0]=0x89, [1]=0xe0, [2]=0xd2, [3]=0xfd, [4]=0x4, [5]=0xae, [6]=0xfb, [7]=0x9e))) returned 0x0 [0070.033] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0070.033] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0070.033] CoTaskMemFree (pv=0x10bd8a0) [0070.033] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0070.033] SetErrorMode (uMode=0x1) returned 0x0 [0070.033] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3350 [0070.034] SetErrorMode (uMode=0x0) returned 0x1 [0070.034] SetErrorMode (uMode=0x1) returned 0x0 [0070.034] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19)) returned 1 [0070.034] SetErrorMode (uMode=0x0) returned 0x1 [0070.034] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1053\\eula.rtf", lpFilePart=0x0) returned 0x23 [0070.034] SetErrorMode (uMode=0x1) returned 0x0 [0070.035] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.035] SetErrorMode (uMode=0x0) returned 0x1 [0070.035] GetFileType (hFile=0x30c) returned 0x1 [0070.035] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3861, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4 [0070.036] CloseHandle (hObject=0x30c) returned 1 [0070.036] SetErrorMode (uMode=0x1) returned 0x0 [0070.036] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.036] SetErrorMode (uMode=0x0) returned 0x1 [0070.037] GetFileType (hFile=0x30c) returned 0x1 [0070.037] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xf19 [0070.038] CloseHandle (hObject=0x30c) returned 1 [0070.039] SetErrorMode (uMode=0x1) returned 0x0 [0070.039] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.039] SetErrorMode (uMode=0x0) returned 0x1 [0070.039] GetFileType (hFile=0x30c) returned 0x1 [0070.040] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4 [0070.040] CloseHandle (hObject=0x30c) returned 1 [0070.040] SetErrorMode (uMode=0x1) returned 0x0 [0070.041] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdfce25ca, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1617)) returned 1 [0070.041] SetErrorMode (uMode=0x0) returned 0x1 [0070.041] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.043] SetErrorMode (uMode=0x1) returned 0x0 [0070.043] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70)) returned 1 [0070.044] SetErrorMode (uMode=0x0) returned 0x1 [0070.044] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.044] SetErrorMode (uMode=0x1) returned 0x0 [0070.044] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.044] SetErrorMode (uMode=0x0) returned 0x1 [0070.044] GetFileType (hFile=0x30c) returned 0x1 [0070.044] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3571 [0070.046] CloseHandle (hObject=0x30c) returned 1 [0070.046] SetErrorMode (uMode=0x1) returned 0x0 [0070.046] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.046] SetErrorMode (uMode=0x0) returned 0x1 [0070.046] GetFileType (hFile=0x30c) returned 0x1 [0070.047] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x12f70 [0070.050] CloseHandle (hObject=0x30c) returned 1 [0070.107] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.107] SetErrorMode (uMode=0x1) returned 0x0 [0070.107] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.108] SetErrorMode (uMode=0x0) returned 0x1 [0070.108] GetFileType (hFile=0x30c) returned 0x1 [0070.108] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x3571 [0070.111] CloseHandle (hObject=0x30c) returned 1 [0070.111] SetErrorMode (uMode=0x1) returned 0x0 [0070.111] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdfda10e5, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1a230)) returned 1 [0070.111] SetErrorMode (uMode=0x0) returned 0x1 [0070.111] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.111] SetErrorMode (uMode=0x1) returned 0x0 [0070.112] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558)) returned 1 [0070.112] SetErrorMode (uMode=0x0) returned 0x1 [0070.112] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1053\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0070.112] SetErrorMode (uMode=0x1) returned 0x0 [0070.112] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.112] SetErrorMode (uMode=0x0) returned 0x1 [0070.112] GetFileType (hFile=0x30c) returned 0x1 [0070.112] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-17667, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x55 [0070.117] CloseHandle (hObject=0x30c) returned 1 [0070.117] SetErrorMode (uMode=0x1) returned 0x0 [0070.117] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.117] SetErrorMode (uMode=0x0) returned 0x1 [0070.117] GetFileType (hFile=0x30c) returned 0x1 [0070.117] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4558 [0070.119] CloseHandle (hObject=0x30c) returned 1 [0070.122] SetErrorMode (uMode=0x1) returned 0x0 [0070.123] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.123] SetErrorMode (uMode=0x0) returned 0x1 [0070.123] GetFileType (hFile=0x30c) returned 0x1 [0070.123] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x55 [0070.124] CloseHandle (hObject=0x30c) returned 1 [0070.124] SetErrorMode (uMode=0x1) returned 0x0 [0070.124] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdfda10e5, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6514)) returned 1 [0070.124] SetErrorMode (uMode=0x0) returned 0x1 [0070.124] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.125] SetErrorMode (uMode=0x1) returned 0x0 [0070.125] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1053\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.125] SetErrorMode (uMode=0x0) returned 0x1 [0070.125] GetFileType (hFile=0x30c) returned 0x1 [0070.127] CloseHandle (hObject=0x30c) returned 1 [0070.127] SetErrorMode (uMode=0x1) returned 0x0 [0070.127] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdfda10e5, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdfda10e5, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3470 [0070.127] SetErrorMode (uMode=0x0) returned 0x1 [0070.127] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0070.127] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0070.127] CoTaskMemFree (pv=0x10bd680) [0070.127] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0070.127] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xb5744d92, Data2=0x5d24, Data3=0x4458, Data4=([0]=0x85, [1]=0x4f, [2]=0xc8, [3]=0xc0, [4]=0x71, [5]=0x1b, [6]=0x77, [7]=0xb1))) returned 0x0 [0070.128] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0070.128] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0070.128] CoTaskMemFree (pv=0x10be120) [0070.128] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0070.128] SetErrorMode (uMode=0x1) returned 0x0 [0070.128] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3470 [0070.128] SetErrorMode (uMode=0x0) returned 0x1 [0070.128] SetErrorMode (uMode=0x1) returned 0x0 [0070.128] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13)) returned 1 [0070.128] SetErrorMode (uMode=0x0) returned 0x1 [0070.128] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1055\\eula.rtf", lpFilePart=0x0) returned 0x23 [0070.128] SetErrorMode (uMode=0x1) returned 0x0 [0070.128] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.129] SetErrorMode (uMode=0x0) returned 0x1 [0070.129] GetFileType (hFile=0x30c) returned 0x1 [0070.129] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3744, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x73 [0070.131] CloseHandle (hObject=0x30c) returned 1 [0070.131] SetErrorMode (uMode=0x1) returned 0x0 [0070.131] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.131] SetErrorMode (uMode=0x0) returned 0x1 [0070.131] GetFileType (hFile=0x30c) returned 0x1 [0070.131] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xf13 [0070.133] CloseHandle (hObject=0x30c) returned 1 [0070.133] SetErrorMode (uMode=0x1) returned 0x0 [0070.134] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.134] SetErrorMode (uMode=0x0) returned 0x1 [0070.134] GetFileType (hFile=0x30c) returned 0x1 [0070.134] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x73 [0070.135] CloseHandle (hObject=0x30c) returned 1 [0070.135] SetErrorMode (uMode=0x1) returned 0x0 [0070.135] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdfdc74fb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x15de)) returned 1 [0070.135] SetErrorMode (uMode=0x0) returned 0x1 [0070.135] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.137] SetErrorMode (uMode=0x1) returned 0x0 [0070.137] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12)) returned 1 [0070.137] SetErrorMode (uMode=0x0) returned 0x1 [0070.137] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.138] SetErrorMode (uMode=0x1) returned 0x0 [0070.138] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.138] SetErrorMode (uMode=0x0) returned 0x1 [0070.138] GetFileType (hFile=0x30c) returned 0x1 [0070.138] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3213 [0070.147] CloseHandle (hObject=0x30c) returned 1 [0070.147] SetErrorMode (uMode=0x1) returned 0x0 [0070.147] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.147] SetErrorMode (uMode=0x0) returned 0x1 [0070.147] GetFileType (hFile=0x30c) returned 0x1 [0070.147] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x12c12 [0070.149] CloseHandle (hObject=0x30c) returned 1 [0070.167] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.167] SetErrorMode (uMode=0x1) returned 0x0 [0070.167] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.167] SetErrorMode (uMode=0x0) returned 0x1 [0070.167] GetFileType (hFile=0x30c) returned 0x1 [0070.167] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x3213 [0070.170] CloseHandle (hObject=0x30c) returned 1 [0070.170] SetErrorMode (uMode=0x1) returned 0x0 [0070.170] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdfe13a6a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x19ed2)) returned 1 [0070.170] SetErrorMode (uMode=0x0) returned 0x1 [0070.170] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.171] SetErrorMode (uMode=0x1) returned 0x0 [0070.171] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558)) returned 1 [0070.171] SetErrorMode (uMode=0x0) returned 0x1 [0070.171] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\1055\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0070.171] SetErrorMode (uMode=0x1) returned 0x0 [0070.171] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.171] SetErrorMode (uMode=0x0) returned 0x1 [0070.172] GetFileType (hFile=0x30c) returned 0x1 [0070.172] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-17667, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x55 [0070.173] CloseHandle (hObject=0x30c) returned 1 [0070.174] SetErrorMode (uMode=0x1) returned 0x0 [0070.174] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.174] SetErrorMode (uMode=0x0) returned 0x1 [0070.174] GetFileType (hFile=0x30c) returned 0x1 [0070.174] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4558 [0070.176] CloseHandle (hObject=0x30c) returned 1 [0070.192] SetErrorMode (uMode=0x1) returned 0x0 [0070.193] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.193] SetErrorMode (uMode=0x0) returned 0x1 [0070.193] GetFileType (hFile=0x30c) returned 0x1 [0070.193] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x55 [0070.194] CloseHandle (hObject=0x30c) returned 1 [0070.194] SetErrorMode (uMode=0x1) returned 0x0 [0070.194] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xdfe5ffaa, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6514)) returned 1 [0070.195] SetErrorMode (uMode=0x0) returned 0x1 [0070.195] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.195] SetErrorMode (uMode=0x1) returned 0x0 [0070.195] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\1055\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.196] SetErrorMode (uMode=0x0) returned 0x1 [0070.196] GetFileType (hFile=0x30c) returned 0x1 [0070.197] CloseHandle (hObject=0x30c) returned 1 [0070.197] SetErrorMode (uMode=0x1) returned 0x0 [0070.198] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xdfe5ffaa, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xdfe5ffaa, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2db0 [0070.198] SetErrorMode (uMode=0x0) returned 0x1 [0070.198] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0070.198] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0070.198] CoTaskMemFree (pv=0x10bd680) [0070.198] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0070.198] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x1959268b, Data2=0xc294, Data3=0x4d37, Data4=([0]=0xa2, [1]=0x64, [2]=0x70, [3]=0x93, [4]=0xad, [5]=0x5d, [6]=0x83, [7]=0x24))) returned 0x0 [0070.198] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0070.198] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0070.198] CoTaskMemFree (pv=0x10bd680) [0070.198] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0070.198] SetErrorMode (uMode=0x1) returned 0x0 [0070.198] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2ed0 [0070.199] SetErrorMode (uMode=0x0) returned 0x1 [0070.199] SetErrorMode (uMode=0x1) returned 0x0 [0070.199] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3)) returned 1 [0070.199] SetErrorMode (uMode=0x0) returned 0x1 [0070.199] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\2052\\eula.rtf", lpFilePart=0x0) returned 0x23 [0070.199] SetErrorMode (uMode=0x1) returned 0x0 [0070.199] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.199] SetErrorMode (uMode=0x0) returned 0x1 [0070.199] GetFileType (hFile=0x30c) returned 0x1 [0070.199] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-5733, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x5e [0070.201] CloseHandle (hObject=0x30c) returned 1 [0070.201] SetErrorMode (uMode=0x1) returned 0x0 [0070.201] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.202] SetErrorMode (uMode=0x0) returned 0x1 [0070.202] GetFileType (hFile=0x30c) returned 0x1 [0070.202] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x16c3 [0070.204] CloseHandle (hObject=0x30c) returned 1 [0070.206] SetErrorMode (uMode=0x1) returned 0x0 [0070.206] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.206] SetErrorMode (uMode=0x0) returned 0x1 [0070.206] GetFileType (hFile=0x30c) returned 0x1 [0070.206] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x5e [0070.208] CloseHandle (hObject=0x30c) returned 1 [0070.208] SetErrorMode (uMode=0x1) returned 0x0 [0070.208] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xdfe860a7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x211d)) returned 1 [0070.208] SetErrorMode (uMode=0x0) returned 0x1 [0070.208] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.211] SetErrorMode (uMode=0x1) returned 0x0 [0070.211] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c)) returned 1 [0070.211] SetErrorMode (uMode=0x0) returned 0x1 [0070.211] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.211] SetErrorMode (uMode=0x1) returned 0x0 [0070.211] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.211] SetErrorMode (uMode=0x0) returned 0x1 [0070.211] GetFileType (hFile=0x30c) returned 0x1 [0070.211] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-60606, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4e [0070.213] CloseHandle (hObject=0x30c) returned 1 [0070.213] SetErrorMode (uMode=0x1) returned 0x0 [0070.213] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.213] SetErrorMode (uMode=0x0) returned 0x1 [0070.213] GetFileType (hFile=0x30c) returned 0x1 [0070.213] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xed0c [0070.216] CloseHandle (hObject=0x30c) returned 1 [0070.233] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.233] SetErrorMode (uMode=0x1) returned 0x0 [0070.233] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.233] SetErrorMode (uMode=0x0) returned 0x1 [0070.233] GetFileType (hFile=0x30c) returned 0x1 [0070.233] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4e [0070.288] CloseHandle (hObject=0x30c) returned 1 [0070.289] SetErrorMode (uMode=0x1) returned 0x0 [0070.289] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xdff44bc1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x159b9)) returned 1 [0070.289] SetErrorMode (uMode=0x0) returned 0x1 [0070.290] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.411] SetErrorMode (uMode=0x1) returned 0x0 [0070.411] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758)) returned 1 [0070.411] SetErrorMode (uMode=0x0) returned 0x1 [0070.412] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\2052\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0070.412] SetErrorMode (uMode=0x1) returned 0x0 [0070.412] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.412] SetErrorMode (uMode=0x0) returned 0x1 [0070.412] GetFileType (hFile=0x30c) returned 0x1 [0070.412] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-14157, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xb [0070.455] CloseHandle (hObject=0x30c) returned 1 [0070.455] SetErrorMode (uMode=0x1) returned 0x0 [0070.455] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.455] SetErrorMode (uMode=0x0) returned 0x1 [0070.455] GetFileType (hFile=0x30c) returned 0x1 [0070.455] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x3758 [0070.458] CloseHandle (hObject=0x30c) returned 1 [0070.460] SetErrorMode (uMode=0x1) returned 0x0 [0070.460] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.460] SetErrorMode (uMode=0x0) returned 0x1 [0070.460] GetFileType (hFile=0x30c) returned 0x1 [0070.460] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xb [0070.462] CloseHandle (hObject=0x30c) returned 1 [0070.462] SetErrorMode (uMode=0x1) returned 0x0 [0070.462] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe00e88c9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50ca)) returned 1 [0070.462] SetErrorMode (uMode=0x0) returned 0x1 [0070.462] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.463] SetErrorMode (uMode=0x1) returned 0x0 [0070.463] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\2052\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.463] SetErrorMode (uMode=0x0) returned 0x1 [0070.463] GetFileType (hFile=0x30c) returned 0x1 [0070.464] CloseHandle (hObject=0x30c) returned 1 [0070.467] SetErrorMode (uMode=0x1) returned 0x0 [0070.468] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xe00e88c9, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe00e88c9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3590 [0070.468] SetErrorMode (uMode=0x0) returned 0x1 [0070.468] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0070.468] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0070.468] CoTaskMemFree (pv=0x10bd8a0) [0070.468] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0070.468] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xdfe431b8, Data2=0x2998, Data3=0x4fcb, Data4=([0]=0xba, [1]=0x70, [2]=0xfe, [3]=0xfe, [4]=0xf1, [5]=0x27, [6]=0xb7, [7]=0x76))) returned 0x0 [0070.468] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0070.468] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0070.468] CoTaskMemFree (pv=0x10bd680) [0070.468] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0070.468] SetErrorMode (uMode=0x1) returned 0x0 [0070.468] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3170 [0070.469] SetErrorMode (uMode=0x0) returned 0x1 [0070.469] SetErrorMode (uMode=0x1) returned 0x0 [0070.469] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf)) returned 1 [0070.469] SetErrorMode (uMode=0x0) returned 0x1 [0070.469] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\2070\\eula.rtf", lpFilePart=0x0) returned 0x23 [0070.469] SetErrorMode (uMode=0x1) returned 0x0 [0070.469] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.469] SetErrorMode (uMode=0x0) returned 0x1 [0070.469] GetFileType (hFile=0x30c) returned 0x1 [0070.469] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3978, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x25 [0070.508] CloseHandle (hObject=0x30c) returned 1 [0070.509] SetErrorMode (uMode=0x1) returned 0x0 [0070.509] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.509] SetErrorMode (uMode=0x0) returned 0x1 [0070.509] GetFileType (hFile=0x30c) returned 0x1 [0070.509] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xfaf [0070.511] CloseHandle (hObject=0x30c) returned 1 [0070.512] SetErrorMode (uMode=0x1) returned 0x0 [0070.512] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.512] SetErrorMode (uMode=0x0) returned 0x1 [0070.512] GetFileType (hFile=0x30c) returned 0x1 [0070.512] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x25 [0070.513] CloseHandle (hObject=0x30c) returned 1 [0070.513] SetErrorMode (uMode=0x1) returned 0x0 [0070.513] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xe015adde, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x16e4)) returned 1 [0070.513] SetErrorMode (uMode=0x0) returned 0x1 [0070.513] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.517] SetErrorMode (uMode=0x1) returned 0x0 [0070.517] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e)) returned 1 [0070.517] SetErrorMode (uMode=0x0) returned 0x1 [0070.517] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.517] SetErrorMode (uMode=0x1) returned 0x0 [0070.518] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.518] SetErrorMode (uMode=0x0) returned 0x1 [0070.518] GetFileType (hFile=0x30c) returned 0x1 [0070.518] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3f7f [0070.520] CloseHandle (hObject=0x30c) returned 1 [0070.520] SetErrorMode (uMode=0x1) returned 0x0 [0070.520] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.520] SetErrorMode (uMode=0x0) returned 0x1 [0070.520] GetFileType (hFile=0x30c) returned 0x1 [0070.520] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x1397e [0070.523] CloseHandle (hObject=0x30c) returned 1 [0070.590] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.590] SetErrorMode (uMode=0x1) returned 0x0 [0070.590] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.590] SetErrorMode (uMode=0x0) returned 0x1 [0070.590] GetFileType (hFile=0x30c) returned 0x1 [0070.590] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x3f7f [0070.593] CloseHandle (hObject=0x30c) returned 1 [0070.593] SetErrorMode (uMode=0x1) returned 0x0 [0070.593] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xe02199cc, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3e)) returned 1 [0070.593] SetErrorMode (uMode=0x0) returned 0x1 [0070.593] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.594] SetErrorMode (uMode=0x1) returned 0x0 [0070.594] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958)) returned 1 [0070.594] SetErrorMode (uMode=0x0) returned 0x1 [0070.594] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\2070\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0070.594] SetErrorMode (uMode=0x1) returned 0x0 [0070.594] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.594] SetErrorMode (uMode=0x0) returned 0x1 [0070.594] GetFileType (hFile=0x30c) returned 0x1 [0070.595] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18720, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x38 [0070.596] CloseHandle (hObject=0x30c) returned 1 [0070.597] SetErrorMode (uMode=0x1) returned 0x0 [0070.597] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.597] SetErrorMode (uMode=0x0) returned 0x1 [0070.597] GetFileType (hFile=0x30c) returned 0x1 [0070.597] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4958 [0070.599] CloseHandle (hObject=0x30c) returned 1 [0070.602] SetErrorMode (uMode=0x1) returned 0x0 [0070.602] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.602] SetErrorMode (uMode=0x0) returned 0x1 [0070.602] GetFileType (hFile=0x30c) returned 0x1 [0070.603] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x38 [0070.604] CloseHandle (hObject=0x30c) returned 1 [0070.604] SetErrorMode (uMode=0x1) returned 0x0 [0070.604] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe023fa2e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6af7)) returned 1 [0070.604] SetErrorMode (uMode=0x0) returned 0x1 [0070.604] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.605] SetErrorMode (uMode=0x1) returned 0x0 [0070.605] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\2070\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.605] SetErrorMode (uMode=0x0) returned 0x1 [0070.605] GetFileType (hFile=0x30c) returned 0x1 [0070.606] CloseHandle (hObject=0x30c) returned 1 [0070.606] SetErrorMode (uMode=0x1) returned 0x0 [0070.606] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xe023fa2e, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe023fa2e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0070.607] SetErrorMode (uMode=0x0) returned 0x1 [0070.607] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0070.607] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0070.607] CoTaskMemFree (pv=0x10bd680) [0070.607] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0070.607] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x8131e317, Data2=0xe433, Data3=0x41d4, Data4=([0]=0x8d, [1]=0x16, [2]=0xcd, [3]=0x7a, [4]=0xec, [5]=0xd, [6]=0x1a, [7]=0x60))) returned 0x0 [0070.607] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0070.607] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0070.607] CoTaskMemFree (pv=0x10bd680) [0070.607] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0070.607] SetErrorMode (uMode=0x1) returned 0x0 [0070.607] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3590 [0070.608] SetErrorMode (uMode=0x0) returned 0x1 [0070.608] SetErrorMode (uMode=0x1) returned 0x0 [0070.608] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5)) returned 1 [0070.608] SetErrorMode (uMode=0x0) returned 0x1 [0070.608] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\3076\\eula.rtf", lpFilePart=0x0) returned 0x23 [0070.608] SetErrorMode (uMode=0x1) returned 0x0 [0070.608] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.608] SetErrorMode (uMode=0x0) returned 0x1 [0070.608] GetFileType (hFile=0x30c) returned 0x1 [0070.608] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-6201, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x6c [0070.610] CloseHandle (hObject=0x30c) returned 1 [0070.610] SetErrorMode (uMode=0x1) returned 0x0 [0070.610] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.611] SetErrorMode (uMode=0x0) returned 0x1 [0070.611] GetFileType (hFile=0x30c) returned 0x1 [0070.611] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x18a5 [0070.613] CloseHandle (hObject=0x30c) returned 1 [0070.614] SetErrorMode (uMode=0x1) returned 0x0 [0070.614] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.614] SetErrorMode (uMode=0x0) returned 0x1 [0070.614] GetFileType (hFile=0x30c) returned 0x1 [0070.614] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x6c [0070.615] CloseHandle (hObject=0x30c) returned 1 [0070.615] SetErrorMode (uMode=0x1) returned 0x0 [0070.615] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xe0265c3c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x23d7)) returned 1 [0070.615] SetErrorMode (uMode=0x0) returned 0x1 [0070.616] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.675] SetErrorMode (uMode=0x1) returned 0x0 [0070.675] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90)) returned 1 [0070.675] SetErrorMode (uMode=0x0) returned 0x1 [0070.675] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.675] SetErrorMode (uMode=0x1) returned 0x0 [0070.675] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.675] SetErrorMode (uMode=0x0) returned 0x1 [0070.675] GetFileType (hFile=0x30c) returned 0x1 [0070.676] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-60723, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x5d [0070.678] CloseHandle (hObject=0x30c) returned 1 [0070.678] SetErrorMode (uMode=0x1) returned 0x0 [0070.678] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.678] SetErrorMode (uMode=0x0) returned 0x1 [0070.678] GetFileType (hFile=0x30c) returned 0x1 [0070.678] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xed90 [0070.680] CloseHandle (hObject=0x30c) returned 1 [0070.701] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.701] SetErrorMode (uMode=0x1) returned 0x0 [0070.701] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.701] SetErrorMode (uMode=0x0) returned 0x1 [0070.701] GetFileType (hFile=0x30c) returned 0x1 [0070.701] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x5d [0070.704] CloseHandle (hObject=0x30c) returned 1 [0070.705] SetErrorMode (uMode=0x1) returned 0x0 [0070.705] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xe034ac3a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x15a70)) returned 1 [0070.705] SetErrorMode (uMode=0x0) returned 0x1 [0070.705] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.705] SetErrorMode (uMode=0x1) returned 0x0 [0070.705] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758)) returned 1 [0070.705] SetErrorMode (uMode=0x0) returned 0x1 [0070.706] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\3076\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0070.706] SetErrorMode (uMode=0x1) returned 0x0 [0070.706] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.706] SetErrorMode (uMode=0x0) returned 0x1 [0070.706] GetFileType (hFile=0x30c) returned 0x1 [0070.706] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-14157, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xb [0070.708] CloseHandle (hObject=0x30c) returned 1 [0070.708] SetErrorMode (uMode=0x1) returned 0x0 [0070.708] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.708] SetErrorMode (uMode=0x0) returned 0x1 [0070.708] GetFileType (hFile=0x30c) returned 0x1 [0070.708] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x3758 [0070.710] CloseHandle (hObject=0x30c) returned 1 [0070.713] SetErrorMode (uMode=0x1) returned 0x0 [0070.713] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.713] SetErrorMode (uMode=0x0) returned 0x1 [0070.713] GetFileType (hFile=0x30c) returned 0x1 [0070.713] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0xb [0070.714] CloseHandle (hObject=0x30c) returned 1 [0070.714] SetErrorMode (uMode=0x1) returned 0x0 [0070.714] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe034ac3a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50ca)) returned 1 [0070.714] SetErrorMode (uMode=0x0) returned 0x1 [0070.714] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.715] SetErrorMode (uMode=0x1) returned 0x0 [0070.715] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\3076\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.756] SetErrorMode (uMode=0x0) returned 0x1 [0070.756] GetFileType (hFile=0x30c) returned 0x1 [0070.757] CloseHandle (hObject=0x30c) returned 1 [0070.757] SetErrorMode (uMode=0x1) returned 0x0 [0070.757] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xe034ac3a, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe03bd1c9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2ed0 [0070.757] SetErrorMode (uMode=0x0) returned 0x1 [0070.757] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0070.757] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0070.758] CoTaskMemFree (pv=0x10bd680) [0070.758] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0070.758] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xf664b051, Data2=0xc3ea, Data3=0x46ec, Data4=([0]=0xa6, [1]=0x6d, [2]=0x25, [3]=0xb6, [4]=0xe8, [5]=0xe7, [6]=0x92, [7]=0x2))) returned 0x0 [0070.758] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0070.758] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0070.758] CoTaskMemFree (pv=0x10bc9c0) [0070.758] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0070.758] SetErrorMode (uMode=0x1) returned 0x0 [0070.758] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0070.758] SetErrorMode (uMode=0x0) returned 0x1 [0070.758] SetErrorMode (uMode=0x1) returned 0x0 [0070.758] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd)) returned 1 [0070.761] SetErrorMode (uMode=0x0) returned 0x1 [0070.761] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\3082\\eula.rtf", lpFilePart=0x0) returned 0x23 [0070.761] SetErrorMode (uMode=0x1) returned 0x0 [0070.761] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.761] SetErrorMode (uMode=0x0) returned 0x1 [0070.761] GetFileType (hFile=0x30c) returned 0x1 [0070.761] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-3042, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1b [0070.763] CloseHandle (hObject=0x30c) returned 1 [0070.763] SetErrorMode (uMode=0x1) returned 0x0 [0070.763] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.763] SetErrorMode (uMode=0x0) returned 0x1 [0070.763] GetFileType (hFile=0x30c) returned 0x1 [0070.763] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0xbfd [0070.765] CloseHandle (hObject=0x30c) returned 1 [0070.766] SetErrorMode (uMode=0x1) returned 0x0 [0070.766] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.766] SetErrorMode (uMode=0x0) returned 0x1 [0070.766] GetFileType (hFile=0x30c) returned 0x1 [0070.766] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x1b [0070.767] CloseHandle (hObject=0x30c) returned 1 [0070.767] SetErrorMode (uMode=0x1) returned 0x0 [0070.767] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0xe03e33d1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1186)) returned 1 [0070.768] SetErrorMode (uMode=0x0) returned 0x1 [0070.768] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.770] SetErrorMode (uMode=0x1) returned 0x0 [0070.770] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c)) returned 1 [0070.770] SetErrorMode (uMode=0x0) returned 0x1 [0070.770] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.770] SetErrorMode (uMode=0x1) returned 0x0 [0070.770] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.770] SetErrorMode (uMode=0x0) returned 0x1 [0070.770] GetFileType (hFile=0x30c) returned 0x1 [0070.770] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3e7d [0070.772] CloseHandle (hObject=0x30c) returned 1 [0070.772] SetErrorMode (uMode=0x1) returned 0x0 [0070.772] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.772] SetErrorMode (uMode=0x0) returned 0x1 [0070.772] GetFileType (hFile=0x30c) returned 0x1 [0070.772] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x1387c [0070.774] CloseHandle (hObject=0x30c) returned 1 [0070.854] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml", nBufferLength=0x105, lpBuffer=0xf1e070, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml", lpFilePart=0x0) returned 0x2c [0070.854] SetErrorMode (uMode=0x1) returned 0x0 [0070.854] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.854] SetErrorMode (uMode=0x0) returned 0x1 [0070.854] GetFileType (hFile=0x30c) returned 0x1 [0070.854] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x3e7d [0070.857] CloseHandle (hObject=0x30c) returned 1 [0070.857] SetErrorMode (uMode=0x1) returned 0x0 [0070.857] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0xe04a21f7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1ab3c)) returned 1 [0070.857] SetErrorMode (uMode=0x0) returned 0x1 [0070.857] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.858] SetErrorMode (uMode=0x1) returned 0x0 [0070.858] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958)) returned 1 [0070.858] SetErrorMode (uMode=0x0) returned 0x1 [0070.858] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\3082\\SetupResources.dll", lpFilePart=0x0) returned 0x2d [0070.858] SetErrorMode (uMode=0x1) returned 0x0 [0070.858] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.858] SetErrorMode (uMode=0x0) returned 0x1 [0070.858] GetFileType (hFile=0x30c) returned 0x1 [0070.858] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18720, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x38 [0070.861] CloseHandle (hObject=0x30c) returned 1 [0070.861] SetErrorMode (uMode=0x1) returned 0x0 [0070.861] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.861] SetErrorMode (uMode=0x0) returned 0x1 [0070.861] GetFileType (hFile=0x30c) returned 0x1 [0070.861] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x4958 [0070.863] CloseHandle (hObject=0x30c) returned 1 [0070.867] SetErrorMode (uMode=0x1) returned 0x0 [0070.867] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.867] SetErrorMode (uMode=0x0) returned 0x1 [0070.867] GetFileType (hFile=0x30c) returned 0x1 [0070.867] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x38 [0070.868] CloseHandle (hObject=0x30c) returned 1 [0070.868] SetErrorMode (uMode=0x1) returned 0x0 [0070.868] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe04c80fb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6af7)) returned 1 [0070.868] SetErrorMode (uMode=0x0) returned 0x1 [0070.868] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), lpNewFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.869] SetErrorMode (uMode=0x1) returned 0x0 [0070.869] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\3082\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.869] SetErrorMode (uMode=0x0) returned 0x1 [0070.869] GetFileType (hFile=0x30c) returned 0x1 [0070.870] CloseHandle (hObject=0x30c) returned 1 [0070.871] SetErrorMode (uMode=0x1) returned 0x0 [0070.871] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xe04c80fb, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe04c80fb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0070.871] SetErrorMode (uMode=0x0) returned 0x1 [0070.871] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0070.871] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0070.871] CoTaskMemFree (pv=0x10be120) [0070.871] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0070.871] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x3bb0239f, Data2=0x3eef, Data3=0x463d, Data4=([0]=0xad, [1]=0x6a, [2]=0x8c, [3]=0x34, [4]=0xc3, [5]=0xff, [6]=0x31, [7]=0xe2))) returned 0x0 [0070.871] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0070.871] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0070.871] CoTaskMemFree (pv=0x10be120) [0070.871] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0070.871] SetErrorMode (uMode=0x1) returned 0x0 [0070.871] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0070.872] SetErrorMode (uMode=0x0) returned 0x1 [0070.872] SetErrorMode (uMode=0x1) returned 0x0 [0070.872] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444)) returned 1 [0070.873] SetErrorMode (uMode=0x0) returned 0x1 [0070.873] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml", lpFilePart=0x0) returned 0x2e [0070.873] SetErrorMode (uMode=0x1) returned 0x0 [0070.873] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.873] SetErrorMode (uMode=0x0) returned 0x1 [0070.873] GetFileType (hFile=0x30c) returned 0x1 [0070.873] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x21a45 [0070.875] CloseHandle (hObject=0x30c) returned 1 [0070.875] SetErrorMode (uMode=0x1) returned 0x0 [0070.875] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.875] SetErrorMode (uMode=0x0) returned 0x1 [0070.875] GetFileType (hFile=0x30c) returned 0x1 [0070.875] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x31444 [0070.878] CloseHandle (hObject=0x30c) returned 1 [0070.890] SetErrorMode (uMode=0x1) returned 0x0 [0070.891] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.891] SetErrorMode (uMode=0x0) returned 0x1 [0070.891] GetFileType (hFile=0x30c) returned 0x1 [0070.891] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x21a45 [0070.926] CloseHandle (hObject=0x30c) returned 1 [0070.926] SetErrorMode (uMode=0x1) returned 0x0 [0070.926] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xe0560d31, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x38704)) returned 1 [0070.926] SetErrorMode (uMode=0x0) returned 0x1 [0070.927] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.927] SetErrorMode (uMode=0x1) returned 0x0 [0070.927] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882)) returned 1 [0070.927] SetErrorMode (uMode=0x0) returned 0x1 [0070.928] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Client\\UiInfo.xml", lpFilePart=0x0) returned 0x27 [0070.928] SetErrorMode (uMode=0x1) returned 0x0 [0070.928] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.928] SetErrorMode (uMode=0x0) returned 0x1 [0070.928] GetFileType (hFile=0x30c) returned 0x1 [0070.928] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-38961, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x51 [0070.931] CloseHandle (hObject=0x30c) returned 1 [0070.931] SetErrorMode (uMode=0x1) returned 0x0 [0070.931] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.932] SetErrorMode (uMode=0x0) returned 0x1 [0070.932] GetFileType (hFile=0x30c) returned 0x1 [0070.932] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x9882 [0070.934] CloseHandle (hObject=0x30c) returned 1 [0070.942] SetErrorMode (uMode=0x1) returned 0x0 [0070.942] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.942] SetErrorMode (uMode=0x0) returned 0x1 [0070.942] GetFileType (hFile=0x30c) returned 0x1 [0070.942] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x51 [0070.944] CloseHandle (hObject=0x30c) returned 1 [0070.944] SetErrorMode (uMode=0x1) returned 0x0 [0070.944] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0xe0586f53, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xde64)) returned 1 [0070.944] SetErrorMode (uMode=0x0) returned 0x1 [0070.944] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0070.945] SetErrorMode (uMode=0x1) returned 0x0 [0070.945] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\client\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.947] SetErrorMode (uMode=0x0) returned 0x1 [0070.947] GetFileType (hFile=0x30c) returned 0x1 [0070.948] CloseHandle (hObject=0x30c) returned 1 [0070.948] SetErrorMode (uMode=0x1) returned 0x0 [0070.949] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xe0586f53, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe0586f53, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3350 [0070.949] SetErrorMode (uMode=0x0) returned 0x1 [0070.949] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0070.949] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0070.949] CoTaskMemFree (pv=0x10bd680) [0070.949] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0070.949] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xef3abe6a, Data2=0xb49, Data3=0x4405, Data4=([0]=0xbd, [1]=0x94, [2]=0x7, [3]=0x76, [4]=0x79, [5]=0x13, [6]=0x75, [7]=0x6a))) returned 0x0 [0070.949] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0070.949] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0070.949] CoTaskMemFree (pv=0x10bc9c0) [0070.949] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0070.949] SetErrorMode (uMode=0x1) returned 0x0 [0070.949] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0070.950] SetErrorMode (uMode=0x0) returned 0x1 [0070.950] SetErrorMode (uMode=0x1) returned 0x0 [0070.950] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82)) returned 1 [0070.950] SetErrorMode (uMode=0x0) returned 0x1 [0070.950] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml", lpFilePart=0x0) returned 0x30 [0070.950] SetErrorMode (uMode=0x1) returned 0x0 [0070.950] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.950] SetErrorMode (uMode=0x0) returned 0x1 [0070.950] GetFileType (hFile=0x30c) returned 0x1 [0070.950] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x7283 [0070.953] CloseHandle (hObject=0x30c) returned 1 [0070.953] SetErrorMode (uMode=0x1) returned 0x0 [0070.953] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0070.953] SetErrorMode (uMode=0x0) returned 0x1 [0070.953] GetFileType (hFile=0x30c) returned 0x1 [0070.953] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x16c82 [0070.956] CloseHandle (hObject=0x30c) returned 1 [0070.969] SetErrorMode (uMode=0x1) returned 0x0 [0070.969] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0070.969] SetErrorMode (uMode=0x0) returned 0x1 [0070.969] GetFileType (hFile=0x30c) returned 0x1 [0070.969] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x7283 [0071.009] CloseHandle (hObject=0x30c) returned 1 [0071.009] SetErrorMode (uMode=0x1) returned 0x0 [0071.009] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0xe061f9cc, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1df42)) returned 1 [0071.009] SetErrorMode (uMode=0x0) returned 0x1 [0071.009] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.010] SetErrorMode (uMode=0x1) returned 0x0 [0071.010] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a)) returned 1 [0071.010] SetErrorMode (uMode=0x0) returned 0x1 [0071.010] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml", lpFilePart=0x0) returned 0x29 [0071.010] SetErrorMode (uMode=0x1) returned 0x0 [0071.010] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.011] SetErrorMode (uMode=0x0) returned 0x1 [0071.011] GetFileType (hFile=0x30c) returned 0x1 [0071.011] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-38961, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x59 [0071.012] CloseHandle (hObject=0x30c) returned 1 [0071.013] SetErrorMode (uMode=0x1) returned 0x0 [0071.013] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.013] SetErrorMode (uMode=0x0) returned 0x1 [0071.013] GetFileType (hFile=0x30c) returned 0x1 [0071.013] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x988a [0071.015] CloseHandle (hObject=0x30c) returned 1 [0071.025] SetErrorMode (uMode=0x1) returned 0x0 [0071.025] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.026] SetErrorMode (uMode=0x0) returned 0x1 [0071.026] GetFileType (hFile=0x30c) returned 0x1 [0071.026] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x59 [0071.028] CloseHandle (hObject=0x30c) returned 1 [0071.028] SetErrorMode (uMode=0x1) returned 0x0 [0071.028] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0xe0645ba1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xde6c)) returned 1 [0071.028] SetErrorMode (uMode=0x0) returned 0x1 [0071.028] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.028] SetErrorMode (uMode=0x1) returned 0x0 [0071.028] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\extended\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.030] SetErrorMode (uMode=0x0) returned 0x1 [0071.030] GetFileType (hFile=0x30c) returned 0x1 [0071.031] CloseHandle (hObject=0x30c) returned 1 [0071.032] SetErrorMode (uMode=0x1) returned 0x0 [0071.032] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xe0645ba1, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe0645ba1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b32f0 [0071.032] SetErrorMode (uMode=0x0) returned 0x1 [0071.032] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.032] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.032] CoTaskMemFree (pv=0x10bd680) [0071.032] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.033] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x8a26a00f, Data2=0x8ef0, Data3=0x4507, Data4=([0]=0xb9, [1]=0x57, [2]=0x6a, [3]=0x5a, [4]=0x3f, [5]=0x2b, [6]=0x69, [7]=0xfc))) returned 0x0 [0071.033] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.033] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.033] CoTaskMemFree (pv=0x10bd680) [0071.033] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.033] SetErrorMode (uMode=0x1) returned 0x0 [0071.033] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0071.035] SetErrorMode (uMode=0x0) returned 0x1 [0071.035] SetErrorMode (uMode=0x1) returned 0x0 [0071.036] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e)) returned 1 [0071.037] SetErrorMode (uMode=0x0) returned 0x1 [0071.037] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Print.ico", lpFilePart=0x0) returned 0x28 [0071.037] SetErrorMode (uMode=0x1) returned 0x0 [0071.037] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.037] SetErrorMode (uMode=0x0) returned 0x1 [0071.037] GetFileType (hFile=0x30c) returned 0x1 [0071.037] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-1053, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x61 [0071.039] CloseHandle (hObject=0x30c) returned 1 [0071.039] SetErrorMode (uMode=0x1) returned 0x0 [0071.039] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.039] SetErrorMode (uMode=0x0) returned 0x1 [0071.039] GetFileType (hFile=0x30c) returned 0x1 [0071.039] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x47e [0071.041] CloseHandle (hObject=0x30c) returned 1 [0071.041] SetErrorMode (uMode=0x1) returned 0x0 [0071.041] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.041] SetErrorMode (uMode=0x0) returned 0x1 [0071.041] GetFileType (hFile=0x30c) returned 0x1 [0071.042] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x61 [0071.042] CloseHandle (hObject=0x30c) returned 1 [0071.042] SetErrorMode (uMode=0x1) returned 0x0 [0071.042] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe066bdab, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x674)) returned 1 [0071.042] SetErrorMode (uMode=0x0) returned 0x1 [0071.043] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.043] SetErrorMode (uMode=0x1) returned 0x0 [0071.043] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e)) returned 1 [0071.043] SetErrorMode (uMode=0x0) returned 0x1 [0071.043] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico", lpFilePart=0x0) returned 0x2a [0071.043] SetErrorMode (uMode=0x1) returned 0x0 [0071.043] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.043] SetErrorMode (uMode=0x0) returned 0x1 [0071.043] GetFileType (hFile=0x30c) returned 0x1 [0071.044] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-819, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0071.103] CloseHandle (hObject=0x30c) returned 1 [0071.103] SetErrorMode (uMode=0x1) returned 0x0 [0071.104] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.104] SetErrorMode (uMode=0x0) returned 0x1 [0071.104] GetFileType (hFile=0x30c) returned 0x1 [0071.104] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x37e [0071.106] CloseHandle (hObject=0x30c) returned 1 [0071.106] SetErrorMode (uMode=0x1) returned 0x0 [0071.106] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.106] SetErrorMode (uMode=0x0) returned 0x1 [0071.106] GetFileType (hFile=0x30c) returned 0x1 [0071.106] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4b [0071.107] CloseHandle (hObject=0x30c) returned 1 [0071.107] SetErrorMode (uMode=0x1) returned 0x0 [0071.107] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe0704703, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50a)) returned 1 [0071.107] SetErrorMode (uMode=0x0) returned 0x1 [0071.107] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.108] SetErrorMode (uMode=0x1) returned 0x0 [0071.108] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e)) returned 1 [0071.108] SetErrorMode (uMode=0x0) returned 0x1 [0071.108] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico", lpFilePart=0x0) returned 0x2a [0071.108] SetErrorMode (uMode=0x1) returned 0x0 [0071.108] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.108] SetErrorMode (uMode=0x0) returned 0x1 [0071.108] GetFileType (hFile=0x30c) returned 0x1 [0071.108] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-819, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0071.110] CloseHandle (hObject=0x30c) returned 1 [0071.110] SetErrorMode (uMode=0x1) returned 0x0 [0071.110] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.111] SetErrorMode (uMode=0x0) returned 0x1 [0071.111] GetFileType (hFile=0x30c) returned 0x1 [0071.111] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x37e [0071.113] CloseHandle (hObject=0x30c) returned 1 [0071.113] SetErrorMode (uMode=0x1) returned 0x0 [0071.113] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.113] SetErrorMode (uMode=0x0) returned 0x1 [0071.113] GetFileType (hFile=0x30c) returned 0x1 [0071.113] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4b [0071.114] CloseHandle (hObject=0x30c) returned 1 [0071.114] SetErrorMode (uMode=0x1) returned 0x0 [0071.114] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe072a677, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50a)) returned 1 [0071.114] SetErrorMode (uMode=0x0) returned 0x1 [0071.114] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.115] SetErrorMode (uMode=0x1) returned 0x0 [0071.115] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e)) returned 1 [0071.115] SetErrorMode (uMode=0x0) returned 0x1 [0071.115] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico", lpFilePart=0x0) returned 0x2a [0071.115] SetErrorMode (uMode=0x1) returned 0x0 [0071.115] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.115] SetErrorMode (uMode=0x0) returned 0x1 [0071.115] GetFileType (hFile=0x30c) returned 0x1 [0071.115] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-819, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0071.117] CloseHandle (hObject=0x30c) returned 1 [0071.117] SetErrorMode (uMode=0x1) returned 0x0 [0071.117] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.117] SetErrorMode (uMode=0x0) returned 0x1 [0071.117] GetFileType (hFile=0x30c) returned 0x1 [0071.117] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x37e [0071.119] CloseHandle (hObject=0x30c) returned 1 [0071.120] SetErrorMode (uMode=0x1) returned 0x0 [0071.120] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.120] SetErrorMode (uMode=0x0) returned 0x1 [0071.120] GetFileType (hFile=0x30c) returned 0x1 [0071.120] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4b [0071.121] CloseHandle (hObject=0x30c) returned 1 [0071.121] SetErrorMode (uMode=0x1) returned 0x0 [0071.121] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe072a677, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50a)) returned 1 [0071.121] SetErrorMode (uMode=0x0) returned 0x1 [0071.121] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.121] SetErrorMode (uMode=0x1) returned 0x0 [0071.121] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e)) returned 1 [0071.122] SetErrorMode (uMode=0x0) returned 0x1 [0071.122] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico", lpFilePart=0x0) returned 0x2a [0071.122] SetErrorMode (uMode=0x1) returned 0x0 [0071.122] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.122] SetErrorMode (uMode=0x0) returned 0x1 [0071.122] GetFileType (hFile=0x30c) returned 0x1 [0071.122] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-819, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0071.126] CloseHandle (hObject=0x30c) returned 1 [0071.126] SetErrorMode (uMode=0x1) returned 0x0 [0071.126] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.126] SetErrorMode (uMode=0x0) returned 0x1 [0071.126] GetFileType (hFile=0x30c) returned 0x1 [0071.126] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x37e [0071.128] CloseHandle (hObject=0x30c) returned 1 [0071.128] SetErrorMode (uMode=0x1) returned 0x0 [0071.129] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.129] SetErrorMode (uMode=0x0) returned 0x1 [0071.129] GetFileType (hFile=0x30c) returned 0x1 [0071.129] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4b [0071.129] CloseHandle (hObject=0x30c) returned 1 [0071.130] SetErrorMode (uMode=0x1) returned 0x0 [0071.130] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe0750930, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50a)) returned 1 [0071.130] SetErrorMode (uMode=0x0) returned 0x1 [0071.130] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.130] SetErrorMode (uMode=0x1) returned 0x0 [0071.130] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e)) returned 1 [0071.131] SetErrorMode (uMode=0x0) returned 0x1 [0071.131] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico", lpFilePart=0x0) returned 0x2a [0071.131] SetErrorMode (uMode=0x1) returned 0x0 [0071.131] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.131] SetErrorMode (uMode=0x0) returned 0x1 [0071.131] GetFileType (hFile=0x30c) returned 0x1 [0071.131] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-819, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0071.133] CloseHandle (hObject=0x30c) returned 1 [0071.133] SetErrorMode (uMode=0x1) returned 0x0 [0071.133] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.133] SetErrorMode (uMode=0x0) returned 0x1 [0071.133] GetFileType (hFile=0x30c) returned 0x1 [0071.133] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x37e [0071.135] CloseHandle (hObject=0x30c) returned 1 [0071.135] SetErrorMode (uMode=0x1) returned 0x0 [0071.135] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.136] SetErrorMode (uMode=0x0) returned 0x1 [0071.136] GetFileType (hFile=0x30c) returned 0x1 [0071.136] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4b [0071.138] CloseHandle (hObject=0x30c) returned 1 [0071.138] SetErrorMode (uMode=0x1) returned 0x0 [0071.138] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe0750930, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50a)) returned 1 [0071.138] SetErrorMode (uMode=0x0) returned 0x1 [0071.138] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.138] SetErrorMode (uMode=0x1) returned 0x0 [0071.138] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e)) returned 1 [0071.139] SetErrorMode (uMode=0x0) returned 0x1 [0071.139] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico", lpFilePart=0x0) returned 0x2a [0071.139] SetErrorMode (uMode=0x1) returned 0x0 [0071.139] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.139] SetErrorMode (uMode=0x0) returned 0x1 [0071.139] GetFileType (hFile=0x30c) returned 0x1 [0071.139] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-819, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0071.175] CloseHandle (hObject=0x30c) returned 1 [0071.176] SetErrorMode (uMode=0x1) returned 0x0 [0071.176] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.176] SetErrorMode (uMode=0x0) returned 0x1 [0071.176] GetFileType (hFile=0x30c) returned 0x1 [0071.176] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x37e [0071.187] CloseHandle (hObject=0x30c) returned 1 [0071.187] SetErrorMode (uMode=0x1) returned 0x0 [0071.187] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.188] SetErrorMode (uMode=0x0) returned 0x1 [0071.188] GetFileType (hFile=0x30c) returned 0x1 [0071.188] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4b [0071.188] CloseHandle (hObject=0x30c) returned 1 [0071.188] SetErrorMode (uMode=0x1) returned 0x0 [0071.189] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe07c3272, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50a)) returned 1 [0071.189] SetErrorMode (uMode=0x0) returned 0x1 [0071.189] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.189] SetErrorMode (uMode=0x1) returned 0x0 [0071.189] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e)) returned 1 [0071.189] SetErrorMode (uMode=0x0) returned 0x1 [0071.189] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico", lpFilePart=0x0) returned 0x2a [0071.189] SetErrorMode (uMode=0x1) returned 0x0 [0071.190] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.190] SetErrorMode (uMode=0x0) returned 0x1 [0071.190] GetFileType (hFile=0x30c) returned 0x1 [0071.190] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-819, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0071.194] CloseHandle (hObject=0x30c) returned 1 [0071.194] SetErrorMode (uMode=0x1) returned 0x0 [0071.194] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.194] SetErrorMode (uMode=0x0) returned 0x1 [0071.194] GetFileType (hFile=0x30c) returned 0x1 [0071.194] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x37e [0071.196] CloseHandle (hObject=0x30c) returned 1 [0071.197] SetErrorMode (uMode=0x1) returned 0x0 [0071.197] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.197] SetErrorMode (uMode=0x0) returned 0x1 [0071.197] GetFileType (hFile=0x30c) returned 0x1 [0071.197] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4b [0071.198] CloseHandle (hObject=0x30c) returned 1 [0071.198] SetErrorMode (uMode=0x1) returned 0x0 [0071.198] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe07f2592, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50a)) returned 1 [0071.198] SetErrorMode (uMode=0x0) returned 0x1 [0071.198] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.198] SetErrorMode (uMode=0x1) returned 0x0 [0071.198] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e)) returned 1 [0071.199] SetErrorMode (uMode=0x0) returned 0x1 [0071.199] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico", lpFilePart=0x0) returned 0x2a [0071.199] SetErrorMode (uMode=0x1) returned 0x0 [0071.199] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.199] SetErrorMode (uMode=0x0) returned 0x1 [0071.199] GetFileType (hFile=0x30c) returned 0x1 [0071.199] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-819, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0071.201] CloseHandle (hObject=0x30c) returned 1 [0071.201] SetErrorMode (uMode=0x1) returned 0x0 [0071.201] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.201] SetErrorMode (uMode=0x0) returned 0x1 [0071.201] GetFileType (hFile=0x30c) returned 0x1 [0071.201] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x37e [0071.203] CloseHandle (hObject=0x30c) returned 1 [0071.204] SetErrorMode (uMode=0x1) returned 0x0 [0071.204] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.204] SetErrorMode (uMode=0x0) returned 0x1 [0071.204] GetFileType (hFile=0x30c) returned 0x1 [0071.204] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x4b [0071.205] CloseHandle (hObject=0x30c) returned 1 [0071.205] SetErrorMode (uMode=0x1) returned 0x0 [0071.205] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe080f7b8, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x50a)) returned 1 [0071.205] SetErrorMode (uMode=0x0) returned 0x1 [0071.205] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.205] SetErrorMode (uMode=0x1) returned 0x0 [0071.205] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e)) returned 1 [0071.206] SetErrorMode (uMode=0x0) returned 0x1 [0071.206] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Save.ico", lpFilePart=0x0) returned 0x27 [0071.206] SetErrorMode (uMode=0x1) returned 0x0 [0071.206] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.206] SetErrorMode (uMode=0x0) returned 0x1 [0071.206] GetFileType (hFile=0x30c) returned 0x1 [0071.206] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-1053, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x61 [0071.207] CloseHandle (hObject=0x30c) returned 1 [0071.208] SetErrorMode (uMode=0x1) returned 0x0 [0071.208] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.208] SetErrorMode (uMode=0x0) returned 0x1 [0071.208] GetFileType (hFile=0x30c) returned 0x1 [0071.208] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x47e [0071.210] CloseHandle (hObject=0x30c) returned 1 [0071.210] SetErrorMode (uMode=0x1) returned 0x0 [0071.210] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.210] SetErrorMode (uMode=0x0) returned 0x1 [0071.210] GetFileType (hFile=0x30c) returned 0x1 [0071.210] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x61 [0071.211] CloseHandle (hObject=0x30c) returned 1 [0071.211] SetErrorMode (uMode=0x1) returned 0x0 [0071.211] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe080f7b8, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x674)) returned 1 [0071.211] SetErrorMode (uMode=0x0) returned 0x1 [0071.211] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.212] SetErrorMode (uMode=0x1) returned 0x0 [0071.212] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66)) returned 1 [0071.212] SetErrorMode (uMode=0x0) returned 0x1 [0071.212] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\Setup.ico", lpFilePart=0x0) returned 0x28 [0071.212] SetErrorMode (uMode=0x1) returned 0x0 [0071.212] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.212] SetErrorMode (uMode=0x0) returned 0x1 [0071.212] GetFileType (hFile=0x30c) returned 0x1 [0071.212] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-36621, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x59 [0071.252] CloseHandle (hObject=0x30c) returned 1 [0071.253] SetErrorMode (uMode=0x1) returned 0x0 [0071.253] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.253] SetErrorMode (uMode=0x0) returned 0x1 [0071.253] GetFileType (hFile=0x30c) returned 0x1 [0071.253] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x8f66 [0071.255] CloseHandle (hObject=0x30c) returned 1 [0071.262] SetErrorMode (uMode=0x1) returned 0x0 [0071.262] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.262] SetErrorMode (uMode=0x0) returned 0x1 [0071.262] GetFileType (hFile=0x30c) returned 0x1 [0071.262] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x59 [0071.264] CloseHandle (hObject=0x30c) returned 1 [0071.264] SetErrorMode (uMode=0x1) returned 0x0 [0071.264] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe0881e88, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xd118)) returned 1 [0071.264] SetErrorMode (uMode=0x0) returned 0x1 [0071.264] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.266] SetErrorMode (uMode=0x1) returned 0x0 [0071.266] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796)) returned 1 [0071.266] SetErrorMode (uMode=0x0) returned 0x1 [0071.266] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\stop.ico", lpFilePart=0x0) returned 0x27 [0071.266] SetErrorMode (uMode=0x1) returned 0x0 [0071.266] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.266] SetErrorMode (uMode=0x0) returned 0x1 [0071.267] GetFileType (hFile=0x30c) returned 0x1 [0071.267] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-10062, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x48 [0071.268] CloseHandle (hObject=0x30c) returned 1 [0071.269] SetErrorMode (uMode=0x1) returned 0x0 [0071.269] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.269] SetErrorMode (uMode=0x0) returned 0x1 [0071.269] GetFileType (hFile=0x30c) returned 0x1 [0071.269] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x2796 [0071.271] CloseHandle (hObject=0x30c) returned 1 [0071.272] SetErrorMode (uMode=0x1) returned 0x0 [0071.273] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.273] SetErrorMode (uMode=0x0) returned 0x1 [0071.273] GetFileType (hFile=0x30c) returned 0x1 [0071.273] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x48 [0071.274] CloseHandle (hObject=0x30c) returned 1 [0071.274] SetErrorMode (uMode=0x1) returned 0x0 [0071.274] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0xe08a7ecf, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x39b3)) returned 1 [0071.274] SetErrorMode (uMode=0x0) returned 0x1 [0071.274] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.275] SetErrorMode (uMode=0x1) returned 0x0 [0071.275] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e)) returned 1 [0071.275] SetErrorMode (uMode=0x0) returned 0x1 [0071.275] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico", lpFilePart=0x0) returned 0x2c [0071.275] SetErrorMode (uMode=0x1) returned 0x0 [0071.275] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.275] SetErrorMode (uMode=0x0) returned 0x1 [0071.275] GetFileType (hFile=0x30c) returned 0x1 [0071.275] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-1053, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x61 [0071.277] CloseHandle (hObject=0x30c) returned 1 [0071.277] SetErrorMode (uMode=0x1) returned 0x0 [0071.277] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.277] SetErrorMode (uMode=0x0) returned 0x1 [0071.277] GetFileType (hFile=0x30c) returned 0x1 [0071.277] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x47e [0071.279] CloseHandle (hObject=0x30c) returned 1 [0071.279] SetErrorMode (uMode=0x1) returned 0x0 [0071.279] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.279] SetErrorMode (uMode=0x0) returned 0x1 [0071.279] GetFileType (hFile=0x30c) returned 0x1 [0071.279] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x61 [0071.280] CloseHandle (hObject=0x30c) returned 1 [0071.280] SetErrorMode (uMode=0x1) returned 0x0 [0071.280] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe08a7ecf, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x674)) returned 1 [0071.280] SetErrorMode (uMode=0x0) returned 0x1 [0071.280] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.281] SetErrorMode (uMode=0x1) returned 0x0 [0071.281] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e)) returned 1 [0071.281] SetErrorMode (uMode=0x0) returned 0x1 [0071.281] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico", lpFilePart=0x0) returned 0x2f [0071.281] SetErrorMode (uMode=0x1) returned 0x0 [0071.281] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.281] SetErrorMode (uMode=0x0) returned 0x1 [0071.281] GetFileType (hFile=0x30c) returned 0x1 [0071.281] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-1053, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x61 [0071.283] CloseHandle (hObject=0x30c) returned 1 [0071.283] SetErrorMode (uMode=0x1) returned 0x0 [0071.283] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.284] SetErrorMode (uMode=0x0) returned 0x1 [0071.284] GetFileType (hFile=0x30c) returned 0x1 [0071.284] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x47e [0071.285] CloseHandle (hObject=0x30c) returned 1 [0071.286] SetErrorMode (uMode=0x1) returned 0x0 [0071.286] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.286] SetErrorMode (uMode=0x0) returned 0x1 [0071.286] GetFileType (hFile=0x30c) returned 0x1 [0071.286] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x61 [0071.287] CloseHandle (hObject=0x30c) returned 1 [0071.287] SetErrorMode (uMode=0x1) returned 0x0 [0071.287] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe08ce368, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x674)) returned 1 [0071.287] SetErrorMode (uMode=0x0) returned 0x1 [0071.287] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.288] SetErrorMode (uMode=0x1) returned 0x0 [0071.288] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796)) returned 1 [0071.288] SetErrorMode (uMode=0x0) returned 0x1 [0071.288] GetFullPathNameW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\588bce7c90097ed212\\Graphics\\warn.ico", lpFilePart=0x0) returned 0x27 [0071.288] SetErrorMode (uMode=0x1) returned 0x0 [0071.288] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.288] SetErrorMode (uMode=0x0) returned 0x1 [0071.288] GetFileType (hFile=0x30c) returned 0x1 [0071.288] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-10062, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x48 [0071.332] CloseHandle (hObject=0x30c) returned 1 [0071.332] SetErrorMode (uMode=0x1) returned 0x0 [0071.333] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.333] SetErrorMode (uMode=0x0) returned 0x1 [0071.333] GetFileType (hFile=0x30c) returned 0x1 [0071.333] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e758 | out: lpFileSizeHigh=0xf1e758*=0x0) returned 0x2796 [0071.335] CloseHandle (hObject=0x30c) returned 1 [0071.337] SetErrorMode (uMode=0x1) returned 0x0 [0071.337] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.337] SetErrorMode (uMode=0x0) returned 0x1 [0071.337] GetFileType (hFile=0x30c) returned 0x1 [0071.337] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e4e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e4e0*=0) returned 0x48 [0071.338] CloseHandle (hObject=0x30c) returned 1 [0071.338] SetErrorMode (uMode=0x1) returned 0x0 [0071.338] GetFileAttributesExW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), fInfoLevelId=0x0, lpFileInformation=0xf1e610 | out: lpFileInformation=0xf1e610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xe0940a18, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x39b3)) returned 1 [0071.338] SetErrorMode (uMode=0x0) returned 0x1 [0071.338] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.339] SetErrorMode (uMode=0x1) returned 0x0 [0071.339] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\#DECRYPT MY FILES#.html" (normalized: "c:\\588bce7c90097ed212\\graphics\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.339] SetErrorMode (uMode=0x0) returned 0x1 [0071.339] GetFileType (hFile=0x30c) returned 0x1 [0071.340] CloseHandle (hObject=0x30c) returned 1 [0071.341] SetErrorMode (uMode=0x1) returned 0x0 [0071.341] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xe0940a18, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe0940a18, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b32f0 [0071.341] SetErrorMode (uMode=0x0) returned 0x1 [0071.341] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.341] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.341] CoTaskMemFree (pv=0x10bd680) [0071.341] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.341] CoCreateGuid (in: pguid=0xf1e810 | out: pguid=0xf1e810*(Data1=0xf71bf157, Data2=0xaca, Data3=0x4e6c, Data4=([0]=0xa8, [1]=0xac, [2]=0x62, [3]=0x3a, [4]=0x32, [5]=0x82, [6]=0x1f, [7]=0x5a))) returned 0x0 [0071.341] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0071.341] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.341] CoTaskMemFree (pv=0x10be120) [0071.341] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.341] SetErrorMode (uMode=0x1) returned 0x0 [0071.342] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*", lpFindFileData=0xf1e5a0 | out: lpFindFileData=0xf1e5a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2ed0 [0071.344] SetErrorMode (uMode=0x0) returned 0x1 [0071.344] SetErrorMode (uMode=0x1) returned 0x0 [0071.344] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xac3efa99, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xac3efa99, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0xb000)) returned 1 [0071.344] SetErrorMode (uMode=0x0) returned 0x1 [0071.344] GetFullPathNameW (in: lpFileName="C:\\Boot\\BCD", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BCD", lpFilePart=0x0) returned 0xb [0071.344] SetErrorMode (uMode=0x1) returned 0x0 [0071.344] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.346] SetErrorMode (uMode=0x0) returned 0x1 [0071.346] GetFullPathNameW (in: lpFileName="C:\\Boot\\BCD.LOG", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BCD.LOG", lpFilePart=0x0) returned 0xf [0071.346] SetErrorMode (uMode=0x1) returned 0x0 [0071.346] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0071.347] SetErrorMode (uMode=0x0) returned 0x1 [0071.347] GetFullPathNameW (in: lpFileName="C:\\Boot\\BCD.LOG", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BCD.LOG", lpFilePart=0x0) returned 0xf [0071.347] SetErrorMode (uMode=0x1) returned 0x0 [0071.347] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.348] SetErrorMode (uMode=0x0) returned 0x1 [0071.349] GetFullPathNameW (in: lpFileName="C:\\Boot\\BCD.LOG1", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BCD.LOG1", lpFilePart=0x0) returned 0x10 [0071.349] SetErrorMode (uMode=0x1) returned 0x0 [0071.349] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0071.349] SetErrorMode (uMode=0x0) returned 0x1 [0071.349] GetFullPathNameW (in: lpFileName="C:\\Boot\\BCD.LOG1", nBufferLength=0x105, lpBuffer=0xf1e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BCD.LOG1", lpFilePart=0x0) returned 0x10 [0071.349] SetErrorMode (uMode=0x1) returned 0x0 [0071.349] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.349] SetErrorMode (uMode=0x0) returned 0x1 [0071.349] GetFileType (hFile=0x30c) returned 0x1 [0071.349] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e848 | out: lpFileSizeHigh=0xf1e848*=0x0) returned 0x0 [0071.349] CloseHandle (hObject=0x30c) returned 1 [0071.350] SetErrorMode (uMode=0x1) returned 0x0 [0071.350] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.350] SetErrorMode (uMode=0x0) returned 0x1 [0071.350] GetFileType (hFile=0x30c) returned 0x1 [0071.350] SetEndOfFile (hFile=0x30c) returned 1 [0071.350] CloseHandle (hObject=0x30c) returned 1 [0071.350] SetErrorMode (uMode=0x1) returned 0x0 [0071.350] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.350] SetErrorMode (uMode=0x0) returned 0x1 [0071.350] GetFileType (hFile=0x30c) returned 0x1 [0071.350] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x0 [0071.351] CloseHandle (hObject=0x30c) returned 1 [0071.351] SetErrorMode (uMode=0x1) returned 0x0 [0071.351] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xe0966c42, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf)) returned 1 [0071.352] SetErrorMode (uMode=0x0) returned 0x1 [0071.352] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:\\Boot\\BCD.LOG1[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\boot\\bcd.log1[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.352] SetErrorMode (uMode=0x1) returned 0x0 [0071.352] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0071.352] SetErrorMode (uMode=0x0) returned 0x1 [0071.352] GetFullPathNameW (in: lpFileName="C:\\Boot\\BCD.LOG2", nBufferLength=0x105, lpBuffer=0xf1e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BCD.LOG2", lpFilePart=0x0) returned 0x10 [0071.352] SetErrorMode (uMode=0x1) returned 0x0 [0071.352] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.352] SetErrorMode (uMode=0x0) returned 0x1 [0071.353] GetFileType (hFile=0x30c) returned 0x1 [0071.353] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e848 | out: lpFileSizeHigh=0xf1e848*=0x0) returned 0x0 [0071.353] CloseHandle (hObject=0x30c) returned 1 [0071.353] SetErrorMode (uMode=0x1) returned 0x0 [0071.353] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.353] SetErrorMode (uMode=0x0) returned 0x1 [0071.353] GetFileType (hFile=0x30c) returned 0x1 [0071.353] SetEndOfFile (hFile=0x30c) returned 1 [0071.353] CloseHandle (hObject=0x30c) returned 1 [0071.353] SetErrorMode (uMode=0x1) returned 0x0 [0071.353] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.353] SetErrorMode (uMode=0x0) returned 0x1 [0071.353] GetFileType (hFile=0x30c) returned 0x1 [0071.353] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x0 [0071.354] CloseHandle (hObject=0x30c) returned 1 [0071.354] SetErrorMode (uMode=0x1) returned 0x0 [0071.354] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xe0966c42, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf)) returned 1 [0071.355] SetErrorMode (uMode=0x0) returned 0x1 [0071.355] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:\\Boot\\BCD.LOG2[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\boot\\bcd.log2[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.355] SetErrorMode (uMode=0x1) returned 0x0 [0071.355] GetFileAttributesExW (in: lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0)) returned 1 [0071.357] SetErrorMode (uMode=0x0) returned 0x1 [0071.357] GetFullPathNameW (in: lpFileName="C:\\Boot\\bootspaces.dll", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\bootspaces.dll", lpFilePart=0x0) returned 0x16 [0071.357] SetErrorMode (uMode=0x1) returned 0x0 [0071.357] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.357] SetErrorMode (uMode=0x0) returned 0x1 [0071.357] GetFileType (hFile=0x30c) returned 0x1 [0071.357] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x7ba1 [0071.359] CloseHandle (hObject=0x30c) returned 1 [0071.360] SetErrorMode (uMode=0x1) returned 0x0 [0071.360] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.361] SetErrorMode (uMode=0x0) returned 0x1 [0071.362] GetFullPathNameW (in: lpFileName="C:\\Boot\\BOOTSTAT.DAT", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BOOTSTAT.DAT", lpFilePart=0x0) returned 0x14 [0071.362] SetErrorMode (uMode=0x1) returned 0x0 [0071.362] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xef703e94, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0071.364] SetErrorMode (uMode=0x0) returned 0x1 [0071.364] GetFullPathNameW (in: lpFileName="C:\\Boot\\BOOTSTAT.DAT", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BOOTSTAT.DAT", lpFilePart=0x0) returned 0x14 [0071.364] SetErrorMode (uMode=0x1) returned 0x0 [0071.364] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.364] SetErrorMode (uMode=0x0) returned 0x1 [0071.364] GetFileType (hFile=0x30c) returned 0x1 [0071.364] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-65520, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x10 [0071.367] CloseHandle (hObject=0x30c) returned 1 [0071.367] SetErrorMode (uMode=0x1) returned 0x0 [0071.367] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.367] SetErrorMode (uMode=0x0) returned 0x1 [0071.367] GetFileType (hFile=0x30c) returned 0x1 [0071.367] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x10000 [0071.369] CloseHandle (hObject=0x30c) returned 1 [0071.435] SetErrorMode (uMode=0x1) returned 0x0 [0071.435] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.435] SetErrorMode (uMode=0x0) returned 0x1 [0071.435] GetFileType (hFile=0x30c) returned 0x1 [0071.435] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x10 [0071.438] CloseHandle (hObject=0x30c) returned 1 [0071.438] SetErrorMode (uMode=0x1) returned 0x0 [0071.438] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xe0a258eb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1757b)) returned 1 [0071.439] SetErrorMode (uMode=0x0) returned 0x1 [0071.439] MoveFileW (lpExistingFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\Boot\\BOOTSTAT.DAT[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\boot\\bootstat.dat[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0071.439] SetErrorMode (uMode=0x1) returned 0x0 [0071.439] GetFileAttributesExW (in: lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0)) returned 1 [0071.440] SetErrorMode (uMode=0x0) returned 0x1 [0071.440] GetFullPathNameW (in: lpFileName="C:\\Boot\\bootvhd.dll", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\bootvhd.dll", lpFilePart=0x0) returned 0x13 [0071.440] SetErrorMode (uMode=0x1) returned 0x0 [0071.440] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.440] SetErrorMode (uMode=0x0) returned 0x1 [0071.440] GetFileType (hFile=0x30c) returned 0x1 [0071.440] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x8ba1 [0071.442] CloseHandle (hObject=0x30c) returned 1 [0071.442] SetErrorMode (uMode=0x1) returned 0x0 [0071.442] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.444] SetErrorMode (uMode=0x0) returned 0x1 [0071.444] GetFullPathNameW (in: lpFileName="C:\\Boot\\memtest.exe", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\memtest.exe", lpFilePart=0x0) returned 0x13 [0071.444] SetErrorMode (uMode=0x1) returned 0x0 [0071.444] GetFileAttributesExW (in: lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0)) returned 1 [0071.445] SetErrorMode (uMode=0x0) returned 0x1 [0071.445] GetFullPathNameW (in: lpFileName="C:\\Boot\\memtest.exe", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\memtest.exe", lpFilePart=0x0) returned 0x13 [0071.445] SetErrorMode (uMode=0x1) returned 0x0 [0071.445] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.445] SetErrorMode (uMode=0x0) returned 0x1 [0071.445] GetFileType (hFile=0x30c) returned 0x1 [0071.445] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xb69a1 [0071.448] CloseHandle (hObject=0x30c) returned 1 [0071.448] SetErrorMode (uMode=0x1) returned 0x0 [0071.448] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.449] SetErrorMode (uMode=0x0) returned 0x1 [0071.450] GetFullPathNameW (in: lpFileName="C:\\Boot\\updaterevokesipolicy.p7b", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\updaterevokesipolicy.p7b", lpFilePart=0x0) returned 0x20 [0071.450] SetErrorMode (uMode=0x1) returned 0x0 [0071.450] GetFileAttributesExW (in: lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236)) returned 1 [0071.453] SetErrorMode (uMode=0x0) returned 0x1 [0071.457] GetFullPathNameW (in: lpFileName="C:\\Boot\\updaterevokesipolicy.p7b", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\updaterevokesipolicy.p7b", lpFilePart=0x0) returned 0x20 [0071.457] SetErrorMode (uMode=0x1) returned 0x0 [0071.457] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.457] SetErrorMode (uMode=0x0) returned 0x1 [0071.457] GetFileType (hFile=0x30c) returned 0x1 [0071.457] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-4563, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x63 [0071.459] CloseHandle (hObject=0x30c) returned 1 [0071.459] SetErrorMode (uMode=0x1) returned 0x0 [0071.459] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.460] SetErrorMode (uMode=0x0) returned 0x1 [0071.461] SetErrorMode (uMode=0x1) returned 0x0 [0071.461] CreateFileW (lpFileName="C:\\Boot\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.462] SetErrorMode (uMode=0x0) returned 0x1 [0071.462] GetFileType (hFile=0x30c) returned 0x1 [0071.463] CloseHandle (hObject=0x30c) returned 1 [0071.463] SetErrorMode (uMode=0x1) returned 0x0 [0071.463] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0xf1e570 | out: lpFindFileData=0xf1e570*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xe0a4b9cb, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe0a71b2b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0071.464] SetErrorMode (uMode=0x0) returned 0x1 [0071.464] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0071.464] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.464] CoTaskMemFree (pv=0x10bd8a0) [0071.464] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.464] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xd9f471ce, Data2=0xb2cd, Data3=0x44cc, Data4=([0]=0x96, [1]=0x4, [2]=0x1a, [3]=0x58, [4]=0xa, [5]=0x7e, [6]=0x46, [7]=0xd2))) returned 0x0 [0071.464] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.464] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.464] CoTaskMemFree (pv=0x10bd680) [0071.464] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.464] SetErrorMode (uMode=0x1) returned 0x0 [0071.464] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b31d0 [0071.465] SetErrorMode (uMode=0x0) returned 0x1 [0071.465] SetErrorMode (uMode=0x1) returned 0x0 [0071.465] GetFileAttributesExW (in: lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60)) returned 1 [0071.465] SetErrorMode (uMode=0x0) returned 0x1 [0071.465] GetFullPathNameW (in: lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\bg-BG\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.465] SetErrorMode (uMode=0x1) returned 0x0 [0071.465] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.465] SetErrorMode (uMode=0x0) returned 0x1 [0071.465] GetFileType (hFile=0x30c) returned 0x1 [0071.465] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3561 [0071.551] CloseHandle (hObject=0x30c) returned 1 [0071.551] SetErrorMode (uMode=0x1) returned 0x0 [0071.551] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.552] SetErrorMode (uMode=0x0) returned 0x1 [0071.553] SetErrorMode (uMode=0x1) returned 0x0 [0071.553] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\bg-bg\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.553] SetErrorMode (uMode=0x0) returned 0x1 [0071.553] GetFileType (hFile=0x30c) returned 0x1 [0071.554] CloseHandle (hObject=0x30c) returned 1 [0071.555] SetErrorMode (uMode=0x1) returned 0x0 [0071.555] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xe0b56b26, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3230 [0071.555] SetErrorMode (uMode=0x0) returned 0x1 [0071.555] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.555] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.555] CoTaskMemFree (pv=0x10bd680) [0071.555] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.555] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x938ccbf2, Data2=0x3d7a, Data3=0x4c0b, Data4=([0]=0xb2, [1]=0x59, [2]=0x85, [3]=0x82, [4]=0x72, [5]=0x73, [6]=0x50, [7]=0x6e))) returned 0x0 [0071.555] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0071.555] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.555] CoTaskMemFree (pv=0x10bd8a0) [0071.555] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.556] SetErrorMode (uMode=0x1) returned 0x0 [0071.556] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3290 [0071.556] SetErrorMode (uMode=0x0) returned 0x1 [0071.556] SetErrorMode (uMode=0x1) returned 0x0 [0071.556] GetFileAttributesExW (in: lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58)) returned 1 [0071.556] SetErrorMode (uMode=0x0) returned 0x1 [0071.556] GetFullPathNameW (in: lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\cs-CZ\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.556] SetErrorMode (uMode=0x1) returned 0x0 [0071.556] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.556] SetErrorMode (uMode=0x0) returned 0x1 [0071.556] GetFileType (hFile=0x30c) returned 0x1 [0071.556] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3159 [0071.567] CloseHandle (hObject=0x30c) returned 1 [0071.567] SetErrorMode (uMode=0x1) returned 0x0 [0071.567] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.568] SetErrorMode (uMode=0x0) returned 0x1 [0071.569] GetFullPathNameW (in: lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\cs-CZ\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.569] SetErrorMode (uMode=0x1) returned 0x0 [0071.569] GetFileAttributesExW (in: lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0)) returned 1 [0071.569] SetErrorMode (uMode=0x0) returned 0x1 [0071.569] GetFullPathNameW (in: lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\cs-CZ\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.569] SetErrorMode (uMode=0x1) returned 0x0 [0071.569] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.570] SetErrorMode (uMode=0x0) returned 0x1 [0071.570] GetFileType (hFile=0x30c) returned 0x1 [0071.570] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45396, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4c [0071.571] CloseHandle (hObject=0x30c) returned 1 [0071.571] SetErrorMode (uMode=0x1) returned 0x0 [0071.571] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.573] SetErrorMode (uMode=0x0) returned 0x1 [0071.573] SetErrorMode (uMode=0x1) returned 0x0 [0071.573] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\cs-cz\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.575] SetErrorMode (uMode=0x0) returned 0x1 [0071.575] GetFileType (hFile=0x30c) returned 0x1 [0071.576] CloseHandle (hObject=0x30c) returned 1 [0071.577] SetErrorMode (uMode=0x1) returned 0x0 [0071.577] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xe0b7cde4, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0071.577] SetErrorMode (uMode=0x0) returned 0x1 [0071.577] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.577] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.577] CoTaskMemFree (pv=0x10bd680) [0071.577] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.577] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xde4c5334, Data2=0x967f, Data3=0x4fb6, Data4=([0]=0xb2, [1]=0xd8, [2]=0x5, [3]=0x30, [4]=0xe7, [5]=0xa2, [6]=0xa0, [7]=0x88))) returned 0x0 [0071.577] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0071.577] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.577] CoTaskMemFree (pv=0x10be120) [0071.577] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.577] SetErrorMode (uMode=0x1) returned 0x0 [0071.577] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3b30 [0071.578] SetErrorMode (uMode=0x0) returned 0x1 [0071.578] SetErrorMode (uMode=0x1) returned 0x0 [0071.578] GetFileAttributesExW (in: lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760)) returned 1 [0071.578] SetErrorMode (uMode=0x0) returned 0x1 [0071.578] GetFullPathNameW (in: lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\da-DK\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.579] SetErrorMode (uMode=0x1) returned 0x0 [0071.579] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.579] SetErrorMode (uMode=0x0) returned 0x1 [0071.579] GetFileType (hFile=0x30c) returned 0x1 [0071.579] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2d61 [0071.583] CloseHandle (hObject=0x30c) returned 1 [0071.583] SetErrorMode (uMode=0x1) returned 0x0 [0071.583] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.584] SetErrorMode (uMode=0x0) returned 0x1 [0071.585] GetFullPathNameW (in: lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\da-DK\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.585] SetErrorMode (uMode=0x1) returned 0x0 [0071.585] GetFileAttributesExW (in: lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0)) returned 1 [0071.585] SetErrorMode (uMode=0x0) returned 0x1 [0071.585] GetFullPathNameW (in: lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\da-DK\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.585] SetErrorMode (uMode=0x1) returned 0x0 [0071.585] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.585] SetErrorMode (uMode=0x0) returned 0x1 [0071.585] GetFileType (hFile=0x30c) returned 0x1 [0071.585] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45396, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4c [0071.587] CloseHandle (hObject=0x30c) returned 1 [0071.587] SetErrorMode (uMode=0x1) returned 0x0 [0071.587] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.588] SetErrorMode (uMode=0x0) returned 0x1 [0071.589] SetErrorMode (uMode=0x1) returned 0x0 [0071.589] CreateFileW (lpFileName="C:\\Boot\\da-DK\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\da-dk\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.591] SetErrorMode (uMode=0x0) returned 0x1 [0071.591] GetFileType (hFile=0x30c) returned 0x1 [0071.592] CloseHandle (hObject=0x30c) returned 1 [0071.592] SetErrorMode (uMode=0x1) returned 0x0 [0071.592] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0ba2d56, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b33b0 [0071.592] SetErrorMode (uMode=0x0) returned 0x1 [0071.592] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0071.592] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.592] CoTaskMemFree (pv=0x10be120) [0071.592] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.592] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xc232181a, Data2=0xa2a5, Data3=0x4df6, Data4=([0]=0x92, [1]=0xd9, [2]=0x4e, [3]=0xf4, [4]=0x37, [5]=0x77, [6]=0x76, [7]=0xb8))) returned 0x0 [0071.593] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0071.593] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.593] CoTaskMemFree (pv=0x10bc9c0) [0071.593] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.593] SetErrorMode (uMode=0x1) returned 0x0 [0071.593] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0071.593] SetErrorMode (uMode=0x0) returned 0x1 [0071.593] SetErrorMode (uMode=0x1) returned 0x0 [0071.593] GetFileAttributesExW (in: lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560)) returned 1 [0071.594] SetErrorMode (uMode=0x0) returned 0x1 [0071.594] GetFullPathNameW (in: lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\de-DE\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.628] SetErrorMode (uMode=0x1) returned 0x0 [0071.628] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.628] SetErrorMode (uMode=0x0) returned 0x1 [0071.628] GetFileType (hFile=0x30c) returned 0x1 [0071.628] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3b61 [0071.715] CloseHandle (hObject=0x30c) returned 1 [0071.715] SetErrorMode (uMode=0x1) returned 0x0 [0071.715] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.716] SetErrorMode (uMode=0x0) returned 0x1 [0071.717] GetFullPathNameW (in: lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\de-DE\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.717] SetErrorMode (uMode=0x1) returned 0x0 [0071.717] GetFileAttributesExW (in: lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0)) returned 1 [0071.717] SetErrorMode (uMode=0x0) returned 0x1 [0071.717] GetFullPathNameW (in: lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\de-DE\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.718] SetErrorMode (uMode=0x1) returned 0x0 [0071.718] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.718] SetErrorMode (uMode=0x0) returned 0x1 [0071.718] GetFileType (hFile=0x30c) returned 0x1 [0071.718] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45981, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3 [0071.720] CloseHandle (hObject=0x30c) returned 1 [0071.720] SetErrorMode (uMode=0x1) returned 0x0 [0071.720] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.721] SetErrorMode (uMode=0x0) returned 0x1 [0071.722] SetErrorMode (uMode=0x1) returned 0x0 [0071.722] CreateFileW (lpFileName="C:\\Boot\\de-DE\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\de-de\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.724] SetErrorMode (uMode=0x0) returned 0x1 [0071.724] GetFileType (hFile=0x30c) returned 0x1 [0071.725] CloseHandle (hObject=0x30c) returned 1 [0071.725] SetErrorMode (uMode=0x1) returned 0x0 [0071.725] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0cfa28d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0071.726] SetErrorMode (uMode=0x0) returned 0x1 [0071.726] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0071.726] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.726] CoTaskMemFree (pv=0x10bc9c0) [0071.726] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.726] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xcff60b3b, Data2=0xb06e, Data3=0x4803, Data4=([0]=0xb6, [1]=0xab, [2]=0xa0, [3]=0xbd, [4]=0x3a, [5]=0x3a, [6]=0xae, [7]=0x19))) returned 0x0 [0071.726] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0071.726] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.726] CoTaskMemFree (pv=0x10bd8a0) [0071.726] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.726] SetErrorMode (uMode=0x1) returned 0x0 [0071.726] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3290 [0071.727] SetErrorMode (uMode=0x0) returned 0x1 [0071.727] SetErrorMode (uMode=0x1) returned 0x0 [0071.727] GetFileAttributesExW (in: lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960)) returned 1 [0071.727] SetErrorMode (uMode=0x0) returned 0x1 [0071.727] GetFullPathNameW (in: lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\el-GR\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.727] SetErrorMode (uMode=0x1) returned 0x0 [0071.727] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.727] SetErrorMode (uMode=0x0) returned 0x1 [0071.727] GetFileType (hFile=0x30c) returned 0x1 [0071.727] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3f61 [0071.729] CloseHandle (hObject=0x30c) returned 1 [0071.729] SetErrorMode (uMode=0x1) returned 0x0 [0071.729] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.730] SetErrorMode (uMode=0x0) returned 0x1 [0071.731] GetFullPathNameW (in: lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\el-GR\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.731] SetErrorMode (uMode=0x1) returned 0x0 [0071.731] GetFileAttributesExW (in: lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0)) returned 1 [0071.732] SetErrorMode (uMode=0x0) returned 0x1 [0071.733] GetFullPathNameW (in: lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\el-GR\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.733] SetErrorMode (uMode=0x1) returned 0x0 [0071.733] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.733] SetErrorMode (uMode=0x0) returned 0x1 [0071.733] GetFileType (hFile=0x30c) returned 0x1 [0071.733] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-46449, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2f [0071.734] CloseHandle (hObject=0x30c) returned 1 [0071.734] SetErrorMode (uMode=0x1) returned 0x0 [0071.735] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.736] SetErrorMode (uMode=0x0) returned 0x1 [0071.737] SetErrorMode (uMode=0x1) returned 0x0 [0071.737] CreateFileW (lpFileName="C:\\Boot\\el-GR\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\el-gr\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.739] SetErrorMode (uMode=0x0) returned 0x1 [0071.739] GetFileType (hFile=0x30c) returned 0x1 [0071.740] CloseHandle (hObject=0x30c) returned 1 [0071.740] SetErrorMode (uMode=0x1) returned 0x0 [0071.740] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xe0d20525, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3110 [0071.740] SetErrorMode (uMode=0x0) returned 0x1 [0071.740] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0071.740] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.740] CoTaskMemFree (pv=0x10bc9c0) [0071.740] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.740] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xac3bed86, Data2=0x5e3b, Data3=0x4191, Data4=([0]=0x87, [1]=0x13, [2]=0xce, [3]=0x16, [4]=0x49, [5]=0x59, [6]=0x4b, [7]=0xe8))) returned 0x0 [0071.741] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.741] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.741] CoTaskMemFree (pv=0x10bd680) [0071.741] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.741] SetErrorMode (uMode=0x1) returned 0x0 [0071.741] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2ed0 [0071.741] SetErrorMode (uMode=0x0) returned 0x1 [0071.741] SetErrorMode (uMode=0x1) returned 0x0 [0071.741] GetFileAttributesExW (in: lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158)) returned 1 [0071.741] SetErrorMode (uMode=0x0) returned 0x1 [0071.742] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-GB\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.742] SetErrorMode (uMode=0x1) returned 0x0 [0071.742] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.742] SetErrorMode (uMode=0x0) returned 0x1 [0071.742] GetFileType (hFile=0x30c) returned 0x1 [0071.742] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2759 [0071.744] CloseHandle (hObject=0x30c) returned 1 [0071.744] SetErrorMode (uMode=0x1) returned 0x0 [0071.744] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.745] SetErrorMode (uMode=0x0) returned 0x1 [0071.745] SetErrorMode (uMode=0x1) returned 0x0 [0071.746] CreateFileW (lpFileName="C:\\Boot\\en-GB\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\en-gb\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.746] SetErrorMode (uMode=0x0) returned 0x1 [0071.746] GetFileType (hFile=0x30c) returned 0x1 [0071.747] CloseHandle (hObject=0x30c) returned 1 [0071.748] SetErrorMode (uMode=0x1) returned 0x0 [0071.748] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xe0d20525, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0071.748] SetErrorMode (uMode=0x0) returned 0x1 [0071.748] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0071.748] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.748] CoTaskMemFree (pv=0x10bc9c0) [0071.748] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.748] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xaa5f9b97, Data2=0x7c55, Data3=0x4f99, Data4=([0]=0x83, [1]=0xd0, [2]=0x7b, [3]=0xbc, [4]=0xd0, [5]=0x20, [6]=0x6e, [7]=0xfb))) returned 0x0 [0071.748] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.748] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.748] CoTaskMemFree (pv=0x10bd680) [0071.748] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.748] SetErrorMode (uMode=0x1) returned 0x0 [0071.749] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3170 [0071.749] SetErrorMode (uMode=0x0) returned 0x1 [0071.749] SetErrorMode (uMode=0x1) returned 0x0 [0071.749] GetFileAttributesExW (in: lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0)) returned 1 [0071.754] SetErrorMode (uMode=0x0) returned 0x1 [0071.754] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.754] SetErrorMode (uMode=0x1) returned 0x0 [0071.754] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.755] SetErrorMode (uMode=0x0) returned 0x1 [0071.755] GetFileType (hFile=0x30c) returned 0x1 [0071.755] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x27a1 [0071.756] CloseHandle (hObject=0x30c) returned 1 [0071.757] SetErrorMode (uMode=0x1) returned 0x0 [0071.757] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.758] SetErrorMode (uMode=0x0) returned 0x1 [0071.758] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.759] SetErrorMode (uMode=0x1) returned 0x0 [0071.759] GetFileAttributesExW (in: lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0)) returned 1 [0071.759] SetErrorMode (uMode=0x0) returned 0x1 [0071.759] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.759] SetErrorMode (uMode=0x1) returned 0x0 [0071.759] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.759] SetErrorMode (uMode=0x0) returned 0x1 [0071.759] GetFileType (hFile=0x30c) returned 0x1 [0071.759] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-44928, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x20 [0071.761] CloseHandle (hObject=0x30c) returned 1 [0071.761] SetErrorMode (uMode=0x1) returned 0x0 [0071.761] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.762] SetErrorMode (uMode=0x0) returned 0x1 [0071.763] SetErrorMode (uMode=0x1) returned 0x0 [0071.763] CreateFileW (lpFileName="C:\\Boot\\en-US\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\en-us\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.764] SetErrorMode (uMode=0x0) returned 0x1 [0071.764] GetFileType (hFile=0x30c) returned 0x1 [0071.765] CloseHandle (hObject=0x30c) returned 1 [0071.766] SetErrorMode (uMode=0x1) returned 0x0 [0071.766] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xe0d466e9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3530 [0071.766] SetErrorMode (uMode=0x0) returned 0x1 [0071.766] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0071.766] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.766] CoTaskMemFree (pv=0x10bc9c0) [0071.766] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.767] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x97dcb857, Data2=0xf8ff, Data3=0x4624, Data4=([0]=0xaa, [1]=0x75, [2]=0xa7, [3]=0x43, [4]=0x75, [5]=0x2, [6]=0x7d, [7]=0x5e))) returned 0x0 [0071.767] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.767] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.767] CoTaskMemFree (pv=0x10bd680) [0071.767] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.767] SetErrorMode (uMode=0x1) returned 0x0 [0071.767] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0071.767] SetErrorMode (uMode=0x0) returned 0x1 [0071.767] SetErrorMode (uMode=0x1) returned 0x0 [0071.767] GetFileAttributesExW (in: lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60)) returned 1 [0071.768] SetErrorMode (uMode=0x0) returned 0x1 [0071.768] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-ES\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.768] SetErrorMode (uMode=0x1) returned 0x0 [0071.768] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.768] SetErrorMode (uMode=0x0) returned 0x1 [0071.768] GetFileType (hFile=0x30c) returned 0x1 [0071.768] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3561 [0071.770] CloseHandle (hObject=0x30c) returned 1 [0071.770] SetErrorMode (uMode=0x1) returned 0x0 [0071.770] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.771] SetErrorMode (uMode=0x0) returned 0x1 [0071.772] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-ES\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.772] SetErrorMode (uMode=0x1) returned 0x0 [0071.772] GetFileAttributesExW (in: lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0)) returned 1 [0071.773] SetErrorMode (uMode=0x0) returned 0x1 [0071.773] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-ES\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.773] SetErrorMode (uMode=0x1) returned 0x0 [0071.773] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.773] SetErrorMode (uMode=0x0) returned 0x1 [0071.773] GetFileType (hFile=0x30c) returned 0x1 [0071.773] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45981, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3 [0071.775] CloseHandle (hObject=0x30c) returned 1 [0071.775] SetErrorMode (uMode=0x1) returned 0x0 [0071.775] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.776] SetErrorMode (uMode=0x0) returned 0x1 [0071.777] SetErrorMode (uMode=0x1) returned 0x0 [0071.777] CreateFileW (lpFileName="C:\\Boot\\es-ES\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\es-es\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.779] SetErrorMode (uMode=0x0) returned 0x1 [0071.779] GetFileType (hFile=0x30c) returned 0x1 [0071.780] CloseHandle (hObject=0x30c) returned 1 [0071.780] SetErrorMode (uMode=0x1) returned 0x0 [0071.780] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0d6cb9a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3b30 [0071.780] SetErrorMode (uMode=0x0) returned 0x1 [0071.780] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.780] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.780] CoTaskMemFree (pv=0x10bd680) [0071.780] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.780] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x4285c5c5, Data2=0x2c2f, Data3=0x4a6f, Data4=([0]=0xa1, [1]=0x9f, [2]=0x73, [3]=0xc0, [4]=0x29, [5]=0x9c, [6]=0x6f, [7]=0x46))) returned 0x0 [0071.781] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0071.781] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.781] CoTaskMemFree (pv=0x10bc9c0) [0071.781] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.781] SetErrorMode (uMode=0x1) returned 0x0 [0071.781] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3290 [0071.783] SetErrorMode (uMode=0x0) returned 0x1 [0071.783] SetErrorMode (uMode=0x1) returned 0x0 [0071.783] GetFileAttributesExW (in: lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60)) returned 1 [0071.783] SetErrorMode (uMode=0x0) returned 0x1 [0071.784] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-MX\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.784] SetErrorMode (uMode=0x1) returned 0x0 [0071.784] CreateFileW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.784] SetErrorMode (uMode=0x0) returned 0x1 [0071.784] GetFileType (hFile=0x30c) returned 0x1 [0071.784] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3561 [0071.786] CloseHandle (hObject=0x30c) returned 1 [0071.786] SetErrorMode (uMode=0x1) returned 0x0 [0071.786] CreateFileW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.787] SetErrorMode (uMode=0x0) returned 0x1 [0071.788] SetErrorMode (uMode=0x1) returned 0x0 [0071.788] CreateFileW (lpFileName="C:\\Boot\\es-MX\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\es-mx\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.788] SetErrorMode (uMode=0x0) returned 0x1 [0071.788] GetFileType (hFile=0x30c) returned 0x1 [0071.789] CloseHandle (hObject=0x30c) returned 1 [0071.789] SetErrorMode (uMode=0x1) returned 0x0 [0071.789] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0d92e5d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0071.790] SetErrorMode (uMode=0x0) returned 0x1 [0071.790] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.790] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.790] CoTaskMemFree (pv=0x10bd680) [0071.790] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.790] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xee582b0c, Data2=0xf37f, Data3=0x4c9e, Data4=([0]=0x91, [1]=0x81, [2]=0x47, [3]=0xa3, [4]=0x6d, [5]=0xb2, [6]=0xa5, [7]=0x1b))) returned 0x0 [0071.790] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0071.790] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.790] CoTaskMemFree (pv=0x10bc9c0) [0071.790] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.790] SetErrorMode (uMode=0x1) returned 0x0 [0071.790] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3b30 [0071.790] SetErrorMode (uMode=0x0) returned 0x1 [0071.791] SetErrorMode (uMode=0x1) returned 0x0 [0071.791] GetFileAttributesExW (in: lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560)) returned 1 [0071.791] SetErrorMode (uMode=0x0) returned 0x1 [0071.791] GetFullPathNameW (in: lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\et-EE\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.791] SetErrorMode (uMode=0x1) returned 0x0 [0071.792] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.792] SetErrorMode (uMode=0x0) returned 0x1 [0071.792] GetFileType (hFile=0x30c) returned 0x1 [0071.792] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2b61 [0071.794] CloseHandle (hObject=0x30c) returned 1 [0071.794] SetErrorMode (uMode=0x1) returned 0x0 [0071.794] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.795] SetErrorMode (uMode=0x0) returned 0x1 [0071.796] SetErrorMode (uMode=0x1) returned 0x0 [0071.796] CreateFileW (lpFileName="C:\\Boot\\et-EE\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\et-ee\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.861] SetErrorMode (uMode=0x0) returned 0x1 [0071.861] GetFileType (hFile=0x30c) returned 0x1 [0071.862] CloseHandle (hObject=0x30c) returned 1 [0071.862] SetErrorMode (uMode=0x1) returned 0x0 [0071.862] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xe0e51a52, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b32f0 [0071.862] SetErrorMode (uMode=0x0) returned 0x1 [0071.862] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0071.863] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.863] CoTaskMemFree (pv=0x10bd8a0) [0071.863] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.863] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x6d56e1d2, Data2=0x6e4c, Data3=0x4367, Data4=([0]=0x8f, [1]=0x90, [2]=0xc7, [3]=0x56, [4]=0x61, [5]=0xff, [6]=0x32, [7]=0x9b))) returned 0x0 [0071.863] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0071.863] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.863] CoTaskMemFree (pv=0x10bd680) [0071.863] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.863] SetErrorMode (uMode=0x1) returned 0x0 [0071.863] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2e70 [0071.863] SetErrorMode (uMode=0x0) returned 0x1 [0071.863] SetErrorMode (uMode=0x1) returned 0x0 [0071.863] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60)) returned 1 [0071.864] SetErrorMode (uMode=0x0) returned 0x1 [0071.864] GetFullPathNameW (in: lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fi-FI\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0071.864] SetErrorMode (uMode=0x1) returned 0x0 [0071.864] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.864] SetErrorMode (uMode=0x0) returned 0x1 [0071.864] GetFileType (hFile=0x30c) returned 0x1 [0071.864] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3161 [0071.866] CloseHandle (hObject=0x30c) returned 1 [0071.866] SetErrorMode (uMode=0x1) returned 0x0 [0071.866] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.867] SetErrorMode (uMode=0x0) returned 0x1 [0071.868] GetFullPathNameW (in: lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fi-FI\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.868] SetErrorMode (uMode=0x1) returned 0x0 [0071.868] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0)) returned 1 [0071.868] SetErrorMode (uMode=0x0) returned 0x1 [0071.868] GetFullPathNameW (in: lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fi-FI\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0071.868] SetErrorMode (uMode=0x1) returned 0x0 [0071.868] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.868] SetErrorMode (uMode=0x0) returned 0x1 [0071.868] GetFileType (hFile=0x30c) returned 0x1 [0071.868] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45396, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4c [0071.870] CloseHandle (hObject=0x30c) returned 1 [0071.870] SetErrorMode (uMode=0x1) returned 0x0 [0071.870] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.871] SetErrorMode (uMode=0x0) returned 0x1 [0071.872] SetErrorMode (uMode=0x1) returned 0x0 [0071.872] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\#DECRYPT MY FILES#.html" (normalized: "c:\\boot\\fi-fi\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0071.873] SetErrorMode (uMode=0x0) returned 0x1 [0071.874] GetFileType (hFile=0x30c) returned 0x1 [0071.874] CloseHandle (hObject=0x30c) returned 1 [0071.875] SetErrorMode (uMode=0x1) returned 0x0 [0071.875] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0e51a52, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0071.875] SetErrorMode (uMode=0x0) returned 0x1 [0071.875] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0071.875] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0071.875] CoTaskMemFree (pv=0x10be120) [0071.875] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0071.875] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x21ef627b, Data2=0x5df1, Data3=0x4592, Data4=([0]=0x89, [1]=0x65, [2]=0x2a, [3]=0x3d, [4]=0x69, [5]=0xe9, [6]=0xcc, [7]=0xe2))) returned 0x0 [0071.875] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0071.875] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0071.875] CoTaskMemFree (pv=0x10be120) [0071.876] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0071.876] SetErrorMode (uMode=0x1) returned 0x0 [0071.876] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3170 [0071.880] SetErrorMode (uMode=0x0) returned 0x1 [0071.880] SetErrorMode (uMode=0x1) returned 0x0 [0071.880] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef782dd9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x386467)) returned 1 [0071.882] SetErrorMode (uMode=0x0) returned 0x1 [0071.882] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\chs_boot.ttf", lpFilePart=0x0) returned 0x1a [0071.882] SetErrorMode (uMode=0x1) returned 0x0 [0071.882] CreateFileW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.882] SetErrorMode (uMode=0x0) returned 0x1 [0071.882] GetFileType (hFile=0x30c) returned 0x1 [0071.882] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x376a68 [0071.885] CloseHandle (hObject=0x30c) returned 1 [0071.885] SetErrorMode (uMode=0x1) returned 0x0 [0071.885] CreateFileW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.886] SetErrorMode (uMode=0x0) returned 0x1 [0071.886] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\cht_boot.ttf", lpFilePart=0x0) returned 0x1a [0071.887] SetErrorMode (uMode=0x1) returned 0x0 [0071.887] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a1dbea, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef81cc08, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e0a)) returned 1 [0071.888] SetErrorMode (uMode=0x0) returned 0x1 [0071.888] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\cht_boot.ttf", lpFilePart=0x0) returned 0x1a [0071.888] SetErrorMode (uMode=0x1) returned 0x0 [0071.888] CreateFileW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.888] SetErrorMode (uMode=0x0) returned 0x1 [0071.888] GetFileType (hFile=0x30c) returned 0x1 [0071.888] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3a340b [0071.890] CloseHandle (hObject=0x30c) returned 1 [0071.890] SetErrorMode (uMode=0x1) returned 0x0 [0071.890] CreateFileW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.892] SetErrorMode (uMode=0x0) returned 0x1 [0071.892] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\jpn_boot.ttf", lpFilePart=0x0) returned 0x1a [0071.892] SetErrorMode (uMode=0x1) returned 0x0 [0071.892] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a902c2, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8771a7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4d4b)) returned 1 [0071.896] SetErrorMode (uMode=0x0) returned 0x1 [0071.896] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\jpn_boot.ttf", lpFilePart=0x0) returned 0x1a [0071.896] SetErrorMode (uMode=0x1) returned 0x0 [0071.896] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.896] SetErrorMode (uMode=0x0) returned 0x1 [0071.896] GetFileType (hFile=0x30c) returned 0x1 [0071.896] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1d534c [0071.898] CloseHandle (hObject=0x30c) returned 1 [0071.898] SetErrorMode (uMode=0x1) returned 0x0 [0071.898] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.899] SetErrorMode (uMode=0x0) returned 0x1 [0071.900] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\kor_boot.ttf", lpFilePart=0x0) returned 0x1a [0071.900] SetErrorMode (uMode=0x1) returned 0x0 [0071.900] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b4eed5, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8c4060, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x243588)) returned 1 [0071.942] SetErrorMode (uMode=0x0) returned 0x1 [0071.942] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\kor_boot.ttf", lpFilePart=0x0) returned 0x1a [0071.942] SetErrorMode (uMode=0x1) returned 0x0 [0071.942] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.942] SetErrorMode (uMode=0x0) returned 0x1 [0071.942] GetFileType (hFile=0x30c) returned 0x1 [0071.942] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x233b89 [0071.946] CloseHandle (hObject=0x30c) returned 1 [0071.946] SetErrorMode (uMode=0x1) returned 0x0 [0071.946] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.947] SetErrorMode (uMode=0x0) returned 0x1 [0071.948] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\malgunn_boot.ttf", lpFilePart=0x0) returned 0x1e [0071.948] SetErrorMode (uMode=0x1) returned 0x0 [0071.948] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8e28b4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2ab6f)) returned 1 [0071.949] SetErrorMode (uMode=0x0) returned 0x1 [0071.950] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\malgunn_boot.ttf", lpFilePart=0x0) returned 0x1e [0071.950] SetErrorMode (uMode=0x1) returned 0x0 [0071.950] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.950] SetErrorMode (uMode=0x0) returned 0x1 [0071.950] GetFileType (hFile=0x30c) returned 0x1 [0071.950] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1b170 [0071.952] CloseHandle (hObject=0x30c) returned 1 [0071.952] SetErrorMode (uMode=0x1) returned 0x0 [0071.952] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.953] SetErrorMode (uMode=0x0) returned 0x1 [0071.954] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\malgun_boot.ttf", lpFilePart=0x0) returned 0x1d [0071.954] SetErrorMode (uMode=0x1) returned 0x0 [0071.954] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8f4db4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2b506)) returned 1 [0071.956] SetErrorMode (uMode=0x0) returned 0x1 [0071.956] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\malgun_boot.ttf", lpFilePart=0x0) returned 0x1d [0071.956] SetErrorMode (uMode=0x1) returned 0x0 [0071.957] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.957] SetErrorMode (uMode=0x0) returned 0x1 [0071.957] GetFileType (hFile=0x30c) returned 0x1 [0071.957] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1bb07 [0071.959] CloseHandle (hObject=0x30c) returned 1 [0071.959] SetErrorMode (uMode=0x1) returned 0x0 [0071.959] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.960] SetErrorMode (uMode=0x0) returned 0x1 [0071.961] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\meiryon_boot.ttf", lpFilePart=0x0) returned 0x1e [0071.961] SetErrorMode (uMode=0x1) returned 0x0 [0071.961] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9072c7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2318a)) returned 1 [0071.963] SetErrorMode (uMode=0x0) returned 0x1 [0071.963] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\meiryon_boot.ttf", lpFilePart=0x0) returned 0x1e [0071.963] SetErrorMode (uMode=0x1) returned 0x0 [0071.963] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.963] SetErrorMode (uMode=0x0) returned 0x1 [0071.963] GetFileType (hFile=0x30c) returned 0x1 [0071.963] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1378b [0071.965] CloseHandle (hObject=0x30c) returned 1 [0071.965] SetErrorMode (uMode=0x1) returned 0x0 [0071.965] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.966] SetErrorMode (uMode=0x0) returned 0x1 [0071.967] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\meiryo_boot.ttf", lpFilePart=0x0) returned 0x1d [0071.967] SetErrorMode (uMode=0x1) returned 0x0 [0071.967] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef918492, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2380b)) returned 1 [0071.969] SetErrorMode (uMode=0x0) returned 0x1 [0071.969] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\meiryo_boot.ttf", lpFilePart=0x0) returned 0x1d [0071.969] SetErrorMode (uMode=0x1) returned 0x0 [0071.969] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.969] SetErrorMode (uMode=0x0) returned 0x1 [0071.969] GetFileType (hFile=0x30c) returned 0x1 [0071.969] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x13e0c [0071.973] CloseHandle (hObject=0x30c) returned 1 [0071.974] SetErrorMode (uMode=0x1) returned 0x0 [0071.974] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.975] SetErrorMode (uMode=0x0) returned 0x1 [0071.975] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\msjhn_boot.ttf", lpFilePart=0x0) returned 0x1c [0071.975] SetErrorMode (uMode=0x1) returned 0x0 [0071.975] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef92a947, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x27a1b)) returned 1 [0071.976] SetErrorMode (uMode=0x0) returned 0x1 [0071.976] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\msjhn_boot.ttf", lpFilePart=0x0) returned 0x1c [0071.976] SetErrorMode (uMode=0x1) returned 0x0 [0071.976] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.976] SetErrorMode (uMode=0x0) returned 0x1 [0071.976] GetFileType (hFile=0x30c) returned 0x1 [0071.976] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1801c [0071.978] CloseHandle (hObject=0x30c) returned 1 [0071.978] SetErrorMode (uMode=0x1) returned 0x0 [0071.978] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.979] SetErrorMode (uMode=0x0) returned 0x1 [0071.980] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\msjh_boot.ttf", lpFilePart=0x0) returned 0x1b [0071.980] SetErrorMode (uMode=0x1) returned 0x0 [0071.980] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef93ce3b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x281fb)) returned 1 [0071.981] SetErrorMode (uMode=0x0) returned 0x1 [0071.981] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\msjh_boot.ttf", lpFilePart=0x0) returned 0x1b [0071.981] SetErrorMode (uMode=0x1) returned 0x0 [0071.981] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0071.981] SetErrorMode (uMode=0x0) returned 0x1 [0071.981] GetFileType (hFile=0x30c) returned 0x1 [0071.981] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x187fc [0071.983] CloseHandle (hObject=0x30c) returned 1 [0071.983] SetErrorMode (uMode=0x1) returned 0x0 [0071.983] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0071.984] SetErrorMode (uMode=0x0) returned 0x1 [0071.985] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\msyhn_boot.ttf", lpFilePart=0x0) returned 0x1c [0071.985] SetErrorMode (uMode=0x1) returned 0x0 [0071.985] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef94dfcd, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x25b3b)) returned 1 [0071.985] SetErrorMode (uMode=0x0) returned 0x1 [0072.027] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\msyhn_boot.ttf", lpFilePart=0x0) returned 0x1c [0072.027] SetErrorMode (uMode=0x1) returned 0x0 [0072.027] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0072.028] SetErrorMode (uMode=0x0) returned 0x1 [0072.028] GetFileType (hFile=0x30c) returned 0x1 [0072.028] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x1613c [0072.030] CloseHandle (hObject=0x30c) returned 1 [0072.030] SetErrorMode (uMode=0x1) returned 0x0 [0072.030] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0072.031] SetErrorMode (uMode=0x0) returned 0x1 [0072.032] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\msyh_boot.ttf", lpFilePart=0x0) returned 0x1b [0072.032] SetErrorMode (uMode=0x1) returned 0x0 [0072.032] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef95f141, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x26255)) returned 1 [0072.032] SetErrorMode (uMode=0x0) returned 0x1 [0072.032] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\msyh_boot.ttf", lpFilePart=0x0) returned 0x1b [0072.032] SetErrorMode (uMode=0x1) returned 0x0 [0072.032] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0072.033] SetErrorMode (uMode=0x0) returned 0x1 [0072.033] GetFileType (hFile=0x30c) returned 0x1 [0072.033] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x16856 [0072.034] CloseHandle (hObject=0x30c) returned 1 [0072.035] SetErrorMode (uMode=0x1) returned 0x0 [0072.035] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0072.036] SetErrorMode (uMode=0x0) returned 0x1 [0072.036] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\segmono_boot.ttf", lpFilePart=0x0) returned 0x1e [0072.036] SetErrorMode (uMode=0x1) returned 0x0 [0072.036] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef96ef3e, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf3b)) returned 1 [0072.038] SetErrorMode (uMode=0x0) returned 0x1 [0072.038] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\segmono_boot.ttf", lpFilePart=0x0) returned 0x1e [0072.038] SetErrorMode (uMode=0x1) returned 0x0 [0072.038] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0072.038] SetErrorMode (uMode=0x0) returned 0x1 [0072.038] GetFileType (hFile=0x30c) returned 0x1 [0072.038] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-44811, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x30 [0072.040] CloseHandle (hObject=0x30c) returned 1 [0072.040] SetErrorMode (uMode=0x1) returned 0x0 [0072.040] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0072.041] SetErrorMode (uMode=0x0) returned 0x1 [0072.042] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\segoen_slboot.ttf", lpFilePart=0x0) returned 0x1f [0072.042] SetErrorMode (uMode=0x1) returned 0x0 [0072.042] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c0da69, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef97d9ab, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x14f66)) returned 1 [0072.042] SetErrorMode (uMode=0x0) returned 0x1 [0072.042] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\segoen_slboot.ttf", lpFilePart=0x0) returned 0x1f [0072.042] SetErrorMode (uMode=0x1) returned 0x0 [0072.042] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0072.042] SetErrorMode (uMode=0x0) returned 0x1 [0072.043] GetFileType (hFile=0x30c) returned 0x1 [0072.043] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x5567 [0072.044] CloseHandle (hObject=0x30c) returned 1 [0072.044] SetErrorMode (uMode=0x1) returned 0x0 [0072.044] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0072.045] SetErrorMode (uMode=0x0) returned 0x1 [0072.046] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\segoe_slboot.ttf", lpFilePart=0x0) returned 0x1e [0072.046] SetErrorMode (uMode=0x1) returned 0x0 [0072.046] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef98c419, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x150a2)) returned 1 [0072.046] SetErrorMode (uMode=0x0) returned 0x1 [0072.046] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\segoe_slboot.ttf", lpFilePart=0x0) returned 0x1e [0072.046] SetErrorMode (uMode=0x1) returned 0x0 [0072.046] SetErrorMode (uMode=0x0) returned 0x1 [0072.047] GetFileType (hFile=0x30c) returned 0x1 [0072.047] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x56a3 [0072.049] CloseHandle (hObject=0x30c) returned 1 [0072.049] SetErrorMode (uMode=0x1) returned 0x0 [0072.050] SetErrorMode (uMode=0x0) returned 0x1 [0072.051] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\wgl4_boot.ttf", lpFilePart=0x0) returned 0x1b [0072.051] SetErrorMode (uMode=0x1) returned 0x0 [0072.051] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3)) returned 1 [0072.051] SetErrorMode (uMode=0x0) returned 0x1 [0072.051] SetErrorMode (uMode=0x1) returned 0x0 [0072.051] SetErrorMode (uMode=0x0) returned 0x1 [0072.051] GetFileType (hFile=0x30c) returned 0x1 [0072.051] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-49023, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x44 [0072.053] CloseHandle (hObject=0x30c) returned 1 [0072.053] SetErrorMode (uMode=0x1) returned 0x0 [0072.054] SetErrorMode (uMode=0x0) returned 0x1 [0072.055] SetErrorMode (uMode=0x1) returned 0x0 [0072.056] SetErrorMode (uMode=0x0) returned 0x1 [0072.056] GetFileType (hFile=0x30c) returned 0x1 [0072.057] CloseHandle (hObject=0x30c) returned 1 [0072.057] SetErrorMode (uMode=0x1) returned 0x0 [0072.057] SetErrorMode (uMode=0x0) returned 0x1 [0072.057] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.057] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.057] CoTaskMemFree (pv=0x10bd680) [0072.057] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.057] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xd92e9adf, Data2=0x9d73, Data3=0x41c6, Data4=([0]=0xaf, [1]=0xba, [2]=0xce, [3]=0xdc, [4]=0xfa, [5]=0x92, [6]=0x82, [7]=0x3d))) returned 0x0 [0072.058] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0072.058] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.058] CoTaskMemFree (pv=0x10bd8a0) [0072.058] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.058] SetErrorMode (uMode=0x1) returned 0x0 [0072.058] SetErrorMode (uMode=0x0) returned 0x1 [0072.058] SetErrorMode (uMode=0x1) returned 0x0 [0072.059] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560)) returned 1 [0072.059] SetErrorMode (uMode=0x0) returned 0x1 [0072.059] SetErrorMode (uMode=0x1) returned 0x0 [0072.059] SetErrorMode (uMode=0x0) returned 0x1 [0072.059] GetFileType (hFile=0x30c) returned 0x1 [0072.059] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3b61 [0072.061] CloseHandle (hObject=0x30c) returned 1 [0072.061] SetErrorMode (uMode=0x1) returned 0x0 [0072.062] SetErrorMode (uMode=0x0) returned 0x1 [0072.063] SetErrorMode (uMode=0x1) returned 0x0 [0072.108] SetErrorMode (uMode=0x0) returned 0x1 [0072.108] GetFileType (hFile=0x30c) returned 0x1 [0072.112] CloseHandle (hObject=0x30c) returned 1 [0072.112] SetErrorMode (uMode=0x1) returned 0x0 [0072.113] SetErrorMode (uMode=0x0) returned 0x1 [0072.113] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.113] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.113] CoTaskMemFree (pv=0x10bd680) [0072.114] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.114] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x966a0049, Data2=0x2dbd, Data3=0x45b4, Data4=([0]=0xa8, [1]=0xb4, [2]=0x1f, [3]=0x0, [4]=0xb8, [5]=0xca, [6]=0xc, [7]=0xd4))) returned 0x0 [0072.114] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.114] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.114] CoTaskMemFree (pv=0x10bd680) [0072.114] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.115] SetErrorMode (uMode=0x1) returned 0x0 [0072.117] SetErrorMode (uMode=0x0) returned 0x1 [0072.130] SetErrorMode (uMode=0x1) returned 0x0 [0072.130] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558)) returned 1 [0072.131] SetErrorMode (uMode=0x0) returned 0x1 [0072.131] SetErrorMode (uMode=0x1) returned 0x0 [0072.131] SetErrorMode (uMode=0x0) returned 0x1 [0072.131] GetFileType (hFile=0x30c) returned 0x1 [0072.132] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3b59 [0072.134] CloseHandle (hObject=0x30c) returned 1 [0072.134] SetErrorMode (uMode=0x1) returned 0x0 [0072.135] SetErrorMode (uMode=0x0) returned 0x1 [0072.136] GetFullPathNameW (in: lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fr-FR\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.136] SetErrorMode (uMode=0x1) returned 0x0 [0072.136] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0)) returned 1 [0072.136] SetErrorMode (uMode=0x0) returned 0x1 [0072.136] SetErrorMode (uMode=0x1) returned 0x0 [0072.136] SetErrorMode (uMode=0x0) returned 0x1 [0072.137] GetFileType (hFile=0x30c) returned 0x1 [0072.137] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45981, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3 [0072.138] CloseHandle (hObject=0x30c) returned 1 [0072.139] SetErrorMode (uMode=0x1) returned 0x0 [0072.140] SetErrorMode (uMode=0x0) returned 0x1 [0072.140] SetErrorMode (uMode=0x1) returned 0x0 [0072.143] SetErrorMode (uMode=0x0) returned 0x1 [0072.143] GetFileType (hFile=0x30c) returned 0x1 [0072.144] CloseHandle (hObject=0x30c) returned 1 [0072.144] SetErrorMode (uMode=0x1) returned 0x0 [0072.145] SetErrorMode (uMode=0x0) returned 0x1 [0072.145] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0072.145] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.145] CoTaskMemFree (pv=0x10bd8a0) [0072.145] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.145] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x5b5dcb49, Data2=0x625, Data3=0x44d5, Data4=([0]=0x99, [1]=0xce, [2]=0x4d, [3]=0xb6, [4]=0x7, [5]=0x33, [6]=0xf4, [7]=0x8d))) returned 0x0 [0072.145] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.145] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.145] CoTaskMemFree (pv=0x10bd680) [0072.145] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.145] SetErrorMode (uMode=0x1) returned 0x0 [0072.145] SetErrorMode (uMode=0x0) returned 0x1 [0072.145] SetErrorMode (uMode=0x1) returned 0x0 [0072.146] GetFileAttributesExW (in: lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60)) returned 1 [0072.146] SetErrorMode (uMode=0x0) returned 0x1 [0072.146] SetErrorMode (uMode=0x1) returned 0x0 [0072.146] SetErrorMode (uMode=0x0) returned 0x1 [0072.146] GetFileType (hFile=0x30c) returned 0x1 [0072.146] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3161 [0072.148] CloseHandle (hObject=0x30c) returned 1 [0072.148] SetErrorMode (uMode=0x1) returned 0x0 [0072.149] SetErrorMode (uMode=0x0) returned 0x1 [0072.150] SetErrorMode (uMode=0x1) returned 0x0 [0072.150] SetErrorMode (uMode=0x0) returned 0x1 [0072.150] GetFileType (hFile=0x30c) returned 0x1 [0072.151] CloseHandle (hObject=0x30c) returned 1 [0072.151] SetErrorMode (uMode=0x1) returned 0x0 [0072.151] SetErrorMode (uMode=0x0) returned 0x1 [0072.151] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0072.151] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.151] CoTaskMemFree (pv=0x10bc9c0) [0072.151] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.151] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xa63738f5, Data2=0xc99d, Data3=0x42c3, Data4=([0]=0x80, [1]=0x78, [2]=0x67, [3]=0x20, [4]=0x24, [5]=0x8d, [6]=0x59, [7]=0x96))) returned 0x0 [0072.152] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.152] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.152] CoTaskMemFree (pv=0x10bd680) [0072.152] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.152] SetErrorMode (uMode=0x1) returned 0x0 [0072.152] SetErrorMode (uMode=0x0) returned 0x1 [0072.152] SetErrorMode (uMode=0x1) returned 0x0 [0072.152] GetFileAttributesExW (in: lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360)) returned 1 [0072.153] SetErrorMode (uMode=0x0) returned 0x1 [0072.153] SetErrorMode (uMode=0x1) returned 0x0 [0072.153] SetErrorMode (uMode=0x0) returned 0x1 [0072.153] GetFileType (hFile=0x30c) returned 0x1 [0072.153] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3961 [0072.155] CloseHandle (hObject=0x30c) returned 1 [0072.155] SetErrorMode (uMode=0x1) returned 0x0 [0072.156] SetErrorMode (uMode=0x0) returned 0x1 [0072.157] GetFullPathNameW (in: lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\hu-HU\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.157] SetErrorMode (uMode=0x1) returned 0x0 [0072.157] GetFileAttributesExW (in: lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398)) returned 1 [0072.160] SetErrorMode (uMode=0x0) returned 0x1 [0072.160] SetErrorMode (uMode=0x1) returned 0x0 [0072.160] SetErrorMode (uMode=0x0) returned 0x1 [0072.160] GetFileType (hFile=0x30c) returned 0x1 [0072.160] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45864, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x70 [0072.162] CloseHandle (hObject=0x30c) returned 1 [0072.162] SetErrorMode (uMode=0x1) returned 0x0 [0072.163] SetErrorMode (uMode=0x0) returned 0x1 [0072.164] SetErrorMode (uMode=0x1) returned 0x0 [0072.166] SetErrorMode (uMode=0x0) returned 0x1 [0072.166] GetFileType (hFile=0x30c) returned 0x1 [0072.167] CloseHandle (hObject=0x30c) returned 1 [0072.167] SetErrorMode (uMode=0x1) returned 0x0 [0072.167] SetErrorMode (uMode=0x0) returned 0x1 [0072.167] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0072.167] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.167] CoTaskMemFree (pv=0x10bd8a0) [0072.167] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.167] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xa59d20e1, Data2=0x1d60, Data3=0x4d07, Data4=([0]=0x9f, [1]=0xcc, [2]=0x30, [3]=0xb, [4]=0x2a, [5]=0x92, [6]=0xb3, [7]=0xfe))) returned 0x0 [0072.167] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.167] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.168] CoTaskMemFree (pv=0x10bd680) [0072.168] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.168] SetErrorMode (uMode=0x1) returned 0x0 [0072.168] SetErrorMode (uMode=0x0) returned 0x1 [0072.168] SetErrorMode (uMode=0x1) returned 0x0 [0072.168] GetFileAttributesExW (in: lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58)) returned 1 [0072.168] SetErrorMode (uMode=0x0) returned 0x1 [0072.168] SetErrorMode (uMode=0x1) returned 0x0 [0072.168] SetErrorMode (uMode=0x0) returned 0x1 [0072.168] GetFileType (hFile=0x30c) returned 0x1 [0072.168] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3359 [0072.207] CloseHandle (hObject=0x30c) returned 1 [0072.207] SetErrorMode (uMode=0x1) returned 0x0 [0072.208] SetErrorMode (uMode=0x0) returned 0x1 [0072.209] GetFullPathNameW (in: lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\it-IT\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.209] SetErrorMode (uMode=0x1) returned 0x0 [0072.209] GetFileAttributesExW (in: lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0)) returned 1 [0072.210] SetErrorMode (uMode=0x0) returned 0x1 [0072.210] SetErrorMode (uMode=0x1) returned 0x0 [0072.210] SetErrorMode (uMode=0x0) returned 0x1 [0072.210] GetFileType (hFile=0x30c) returned 0x1 [0072.210] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45396, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4c [0072.212] CloseHandle (hObject=0x30c) returned 1 [0072.212] SetErrorMode (uMode=0x1) returned 0x0 [0072.213] SetErrorMode (uMode=0x0) returned 0x1 [0072.213] SetErrorMode (uMode=0x1) returned 0x0 [0072.215] SetErrorMode (uMode=0x0) returned 0x1 [0072.215] GetFileType (hFile=0x30c) returned 0x1 [0072.219] CloseHandle (hObject=0x30c) returned 1 [0072.219] SetErrorMode (uMode=0x1) returned 0x0 [0072.219] SetErrorMode (uMode=0x0) returned 0x1 [0072.220] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.220] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.220] CoTaskMemFree (pv=0x10bd680) [0072.220] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.220] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xda1af98e, Data2=0x5443, Data3=0x4e38, Data4=([0]=0xb9, [1]=0xf, [2]=0xc4, [3]=0xa8, [4]=0x68, [5]=0x47, [6]=0x2a, [7]=0x5e))) returned 0x0 [0072.220] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.220] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.220] CoTaskMemFree (pv=0x10bd680) [0072.220] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.220] SetErrorMode (uMode=0x1) returned 0x0 [0072.221] SetErrorMode (uMode=0x0) returned 0x1 [0072.221] SetErrorMode (uMode=0x1) returned 0x0 [0072.221] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48c6596, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760)) returned 1 [0072.221] SetErrorMode (uMode=0x0) returned 0x1 [0072.221] SetErrorMode (uMode=0x1) returned 0x0 [0072.221] SetErrorMode (uMode=0x0) returned 0x1 [0072.221] GetFileType (hFile=0x30c) returned 0x1 [0072.221] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xd61 [0072.223] CloseHandle (hObject=0x30c) returned 1 [0072.224] SetErrorMode (uMode=0x1) returned 0x0 [0072.224] SetErrorMode (uMode=0x0) returned 0x1 [0072.225] GetFullPathNameW (in: lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ja-JP\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.225] SetErrorMode (uMode=0x1) returned 0x0 [0072.225] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798)) returned 1 [0072.225] SetErrorMode (uMode=0x0) returned 0x1 [0072.225] SetErrorMode (uMode=0x1) returned 0x0 [0072.226] SetErrorMode (uMode=0x0) returned 0x1 [0072.226] GetFileType (hFile=0x30c) returned 0x1 [0072.226] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-42822, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x52 [0072.227] CloseHandle (hObject=0x30c) returned 1 [0072.227] SetErrorMode (uMode=0x1) returned 0x0 [0072.228] SetErrorMode (uMode=0x0) returned 0x1 [0072.229] SetErrorMode (uMode=0x1) returned 0x0 [0072.231] SetErrorMode (uMode=0x0) returned 0x1 [0072.231] GetFileType (hFile=0x30c) returned 0x1 [0072.232] CloseHandle (hObject=0x30c) returned 1 [0072.232] SetErrorMode (uMode=0x1) returned 0x0 [0072.232] SetErrorMode (uMode=0x0) returned 0x1 [0072.232] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0072.232] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.232] CoTaskMemFree (pv=0x10bc9c0) [0072.232] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.232] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x61f278bb, Data2=0x24ea, Data3=0x40ec, Data4=([0]=0x8a, [1]=0x48, [2]=0x2e, [3]=0xe0, [4]=0x97, [5]=0xb8, [6]=0x40, [7]=0xc7))) returned 0x0 [0072.232] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0072.232] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.232] CoTaskMemFree (pv=0x10be120) [0072.232] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.233] SetErrorMode (uMode=0x1) returned 0x0 [0072.233] SetErrorMode (uMode=0x0) returned 0x1 [0072.233] SetErrorMode (uMode=0x1) returned 0x0 [0072.233] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560)) returned 1 [0072.233] SetErrorMode (uMode=0x0) returned 0x1 [0072.233] SetErrorMode (uMode=0x1) returned 0x0 [0072.234] SetErrorMode (uMode=0x0) returned 0x1 [0072.234] GetFileType (hFile=0x30c) returned 0x1 [0072.234] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0xb61 [0072.235] CloseHandle (hObject=0x30c) returned 1 [0072.236] SetErrorMode (uMode=0x1) returned 0x0 [0072.237] SetErrorMode (uMode=0x0) returned 0x1 [0072.237] GetFullPathNameW (in: lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ko-KR\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.237] SetErrorMode (uMode=0x1) returned 0x0 [0072.237] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0)) returned 1 [0072.237] SetErrorMode (uMode=0x0) returned 0x1 [0072.237] SetErrorMode (uMode=0x1) returned 0x0 [0072.237] SetErrorMode (uMode=0x0) returned 0x1 [0072.237] GetFileType (hFile=0x30c) returned 0x1 [0072.237] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-42822, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x5a [0072.239] CloseHandle (hObject=0x30c) returned 1 [0072.239] SetErrorMode (uMode=0x1) returned 0x0 [0072.240] SetErrorMode (uMode=0x0) returned 0x1 [0072.240] SetErrorMode (uMode=0x1) returned 0x0 [0072.242] SetErrorMode (uMode=0x0) returned 0x1 [0072.242] GetFileType (hFile=0x30c) returned 0x1 [0072.243] CloseHandle (hObject=0x30c) returned 1 [0072.243] SetErrorMode (uMode=0x1) returned 0x0 [0072.243] SetErrorMode (uMode=0x0) returned 0x1 [0072.243] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0072.243] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.244] CoTaskMemFree (pv=0x10be120) [0072.244] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.244] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x7bb74119, Data2=0x702f, Data3=0x446b, Data4=([0]=0xaf, [1]=0xe1, [2]=0xf8, [3]=0xad, [4]=0x84, [5]=0x52, [6]=0x30, [7]=0x6d))) returned 0x0 [0072.244] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0072.244] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.244] CoTaskMemFree (pv=0x10bd8a0) [0072.244] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.244] SetErrorMode (uMode=0x1) returned 0x0 [0072.244] SetErrorMode (uMode=0x0) returned 0x1 [0072.244] SetErrorMode (uMode=0x1) returned 0x0 [0072.244] GetFileAttributesExW (in: lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760)) returned 1 [0072.244] SetErrorMode (uMode=0x0) returned 0x1 [0072.244] SetErrorMode (uMode=0x1) returned 0x0 [0072.245] SetErrorMode (uMode=0x0) returned 0x1 [0072.245] GetFileType (hFile=0x30c) returned 0x1 [0072.245] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2d61 [0072.281] CloseHandle (hObject=0x30c) returned 1 [0072.282] SetErrorMode (uMode=0x1) returned 0x0 [0072.283] SetErrorMode (uMode=0x0) returned 0x1 [0072.283] SetErrorMode (uMode=0x1) returned 0x0 [0072.284] SetErrorMode (uMode=0x0) returned 0x1 [0072.284] GetFileType (hFile=0x30c) returned 0x1 [0072.285] CloseHandle (hObject=0x30c) returned 1 [0072.285] SetErrorMode (uMode=0x1) returned 0x0 [0072.285] SetErrorMode (uMode=0x0) returned 0x1 [0072.285] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0072.285] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.285] CoTaskMemFree (pv=0x10be120) [0072.285] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.285] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x2eba47a5, Data2=0x18a4, Data3=0x458f, Data4=([0]=0x8d, [1]=0xaa, [2]=0xfa, [3]=0x74, [4]=0x5a, [5]=0xac, [6]=0xcf, [7]=0x80))) returned 0x0 [0072.285] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.285] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.285] CoTaskMemFree (pv=0x10bd680) [0072.285] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.286] SetErrorMode (uMode=0x1) returned 0x0 [0072.286] SetErrorMode (uMode=0x0) returned 0x1 [0072.286] SetErrorMode (uMode=0x1) returned 0x0 [0072.286] GetFileAttributesExW (in: lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758)) returned 1 [0072.286] SetErrorMode (uMode=0x0) returned 0x1 [0072.286] SetErrorMode (uMode=0x1) returned 0x0 [0072.286] SetErrorMode (uMode=0x0) returned 0x1 [0072.286] GetFileType (hFile=0x30c) returned 0x1 [0072.286] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2d59 [0072.288] CloseHandle (hObject=0x30c) returned 1 [0072.288] SetErrorMode (uMode=0x1) returned 0x0 [0072.289] SetErrorMode (uMode=0x0) returned 0x1 [0072.290] SetErrorMode (uMode=0x1) returned 0x0 [0072.290] SetErrorMode (uMode=0x0) returned 0x1 [0072.290] GetFileType (hFile=0x30c) returned 0x1 [0072.291] CloseHandle (hObject=0x30c) returned 1 [0072.291] SetErrorMode (uMode=0x1) returned 0x0 [0072.291] SetErrorMode (uMode=0x0) returned 0x1 [0072.292] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0072.292] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.292] CoTaskMemFree (pv=0x10be120) [0072.292] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.292] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x21d06dfd, Data2=0x2853, Data3=0x4daf, Data4=([0]=0x95, [1]=0xfd, [2]=0x31, [3]=0x71, [4]=0x6d, [5]=0x60, [6]=0xd8, [7]=0x6e))) returned 0x0 [0072.292] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.292] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.292] CoTaskMemFree (pv=0x10bd680) [0072.292] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.292] SetErrorMode (uMode=0x1) returned 0x0 [0072.293] SetErrorMode (uMode=0x0) returned 0x1 [0072.293] SetErrorMode (uMode=0x1) returned 0x0 [0072.293] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760)) returned 1 [0072.293] SetErrorMode (uMode=0x0) returned 0x1 [0072.293] SetErrorMode (uMode=0x1) returned 0x0 [0072.293] SetErrorMode (uMode=0x0) returned 0x1 [0072.293] GetFileType (hFile=0x30c) returned 0x1 [0072.293] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2d61 [0072.295] CloseHandle (hObject=0x30c) returned 1 [0072.295] SetErrorMode (uMode=0x1) returned 0x0 [0072.296] SetErrorMode (uMode=0x0) returned 0x1 [0072.297] GetFullPathNameW (in: lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nb-NO\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.297] SetErrorMode (uMode=0x1) returned 0x0 [0072.297] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0)) returned 1 [0072.297] SetErrorMode (uMode=0x0) returned 0x1 [0072.297] SetErrorMode (uMode=0x1) returned 0x0 [0072.297] SetErrorMode (uMode=0x0) returned 0x1 [0072.297] GetFileType (hFile=0x30c) returned 0x1 [0072.297] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45396, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4c [0072.299] CloseHandle (hObject=0x30c) returned 1 [0072.299] SetErrorMode (uMode=0x1) returned 0x0 [0072.300] SetErrorMode (uMode=0x0) returned 0x1 [0072.301] SetErrorMode (uMode=0x1) returned 0x0 [0072.303] SetErrorMode (uMode=0x0) returned 0x1 [0072.303] GetFileType (hFile=0x30c) returned 0x1 [0072.304] CloseHandle (hObject=0x30c) returned 1 [0072.304] SetErrorMode (uMode=0x1) returned 0x0 [0072.304] SetErrorMode (uMode=0x0) returned 0x1 [0072.304] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0072.304] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.304] CoTaskMemFree (pv=0x10be120) [0072.304] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.304] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x1f582dc3, Data2=0x30fc, Data3=0x4c0c, Data4=([0]=0xb8, [1]=0x94, [2]=0xdf, [3]=0x5f, [4]=0x93, [5]=0xca, [6]=0xaf, [7]=0x74))) returned 0x0 [0072.304] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0072.304] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.304] CoTaskMemFree (pv=0x10be120) [0072.304] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.304] SetErrorMode (uMode=0x1) returned 0x0 [0072.305] SetErrorMode (uMode=0x0) returned 0x1 [0072.305] SetErrorMode (uMode=0x1) returned 0x0 [0072.305] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160)) returned 1 [0072.305] SetErrorMode (uMode=0x0) returned 0x1 [0072.305] SetErrorMode (uMode=0x1) returned 0x0 [0072.306] SetErrorMode (uMode=0x0) returned 0x1 [0072.306] GetFileType (hFile=0x30c) returned 0x1 [0072.306] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3761 [0072.308] CloseHandle (hObject=0x30c) returned 1 [0072.308] SetErrorMode (uMode=0x1) returned 0x0 [0072.309] SetErrorMode (uMode=0x0) returned 0x1 [0072.309] GetFullPathNameW (in: lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nl-NL\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.309] SetErrorMode (uMode=0x1) returned 0x0 [0072.309] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0)) returned 1 [0072.309] SetErrorMode (uMode=0x0) returned 0x1 [0072.309] SetErrorMode (uMode=0x1) returned 0x0 [0072.309] SetErrorMode (uMode=0x0) returned 0x1 [0072.310] GetFileType (hFile=0x30c) returned 0x1 [0072.310] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45396, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4c [0072.312] CloseHandle (hObject=0x30c) returned 1 [0072.312] SetErrorMode (uMode=0x1) returned 0x0 [0072.313] SetErrorMode (uMode=0x0) returned 0x1 [0072.313] SetErrorMode (uMode=0x1) returned 0x0 [0072.322] SetErrorMode (uMode=0x0) returned 0x1 [0072.322] GetFileType (hFile=0x30c) returned 0x1 [0072.323] CloseHandle (hObject=0x30c) returned 1 [0072.323] SetErrorMode (uMode=0x1) returned 0x0 [0072.323] SetErrorMode (uMode=0x0) returned 0x1 [0072.324] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0072.324] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.324] CoTaskMemFree (pv=0x10be120) [0072.324] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.324] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x16bf27af, Data2=0x9170, Data3=0x450b, Data4=([0]=0xb1, [1]=0x42, [2]=0xf1, [3]=0x2f, [4]=0xb8, [5]=0xa8, [6]=0x7b, [7]=0x52))) returned 0x0 [0072.324] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0072.324] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.324] CoTaskMemFree (pv=0x10be120) [0072.324] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.324] SetErrorMode (uMode=0x1) returned 0x0 [0072.324] SetErrorMode (uMode=0x0) returned 0x1 [0072.324] SetErrorMode (uMode=0x1) returned 0x0 [0072.324] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58)) returned 1 [0072.326] SetErrorMode (uMode=0x0) returned 0x1 [0072.326] SetErrorMode (uMode=0x1) returned 0x0 [0072.326] SetErrorMode (uMode=0x0) returned 0x1 [0072.326] GetFileType (hFile=0x30c) returned 0x1 [0072.326] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3559 [0072.615] CloseHandle (hObject=0x30c) returned 1 [0072.616] SetErrorMode (uMode=0x1) returned 0x0 [0072.617] SetErrorMode (uMode=0x0) returned 0x1 [0072.617] GetFullPathNameW (in: lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pl-PL\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.617] SetErrorMode (uMode=0x1) returned 0x0 [0072.617] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0)) returned 1 [0072.618] SetErrorMode (uMode=0x0) returned 0x1 [0072.618] SetErrorMode (uMode=0x1) returned 0x0 [0072.618] SetErrorMode (uMode=0x0) returned 0x1 [0072.618] GetFileType (hFile=0x30c) returned 0x1 [0072.618] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45981, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3 [0072.620] CloseHandle (hObject=0x30c) returned 1 [0072.620] SetErrorMode (uMode=0x1) returned 0x0 [0072.621] SetErrorMode (uMode=0x0) returned 0x1 [0072.621] SetErrorMode (uMode=0x1) returned 0x0 [0072.658] SetErrorMode (uMode=0x0) returned 0x1 [0072.658] GetFileType (hFile=0x30c) returned 0x1 [0072.659] CloseHandle (hObject=0x30c) returned 1 [0072.660] SetErrorMode (uMode=0x1) returned 0x0 [0072.660] SetErrorMode (uMode=0x0) returned 0x1 [0072.660] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.660] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.660] CoTaskMemFree (pv=0x10bd680) [0072.660] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.660] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x2055737d, Data2=0xa914, Data3=0x4e1b, Data4=([0]=0xbd, [1]=0x8f, [2]=0x4a, [3]=0xfc, [4]=0x1d, [5]=0xc3, [6]=0x54, [7]=0xcc))) returned 0x0 [0072.660] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0072.660] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.660] CoTaskMemFree (pv=0x10bc9c0) [0072.660] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.660] SetErrorMode (uMode=0x1) returned 0x0 [0072.661] SetErrorMode (uMode=0x0) returned 0x1 [0072.661] SetErrorMode (uMode=0x1) returned 0x0 [0072.661] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60)) returned 1 [0072.661] SetErrorMode (uMode=0x0) returned 0x1 [0072.661] SetErrorMode (uMode=0x1) returned 0x0 [0072.661] SetErrorMode (uMode=0x0) returned 0x1 [0072.661] GetFileType (hFile=0x30c) returned 0x1 [0072.661] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3161 [0072.664] CloseHandle (hObject=0x30c) returned 1 [0072.664] SetErrorMode (uMode=0x1) returned 0x0 [0072.665] SetErrorMode (uMode=0x0) returned 0x1 [0072.665] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-BR\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.665] SetErrorMode (uMode=0x1) returned 0x0 [0072.665] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0)) returned 1 [0072.666] SetErrorMode (uMode=0x0) returned 0x1 [0072.666] SetErrorMode (uMode=0x1) returned 0x0 [0072.666] SetErrorMode (uMode=0x0) returned 0x1 [0072.666] GetFileType (hFile=0x30c) returned 0x1 [0072.666] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45396, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4c [0072.668] CloseHandle (hObject=0x30c) returned 1 [0072.668] SetErrorMode (uMode=0x1) returned 0x0 [0072.669] SetErrorMode (uMode=0x0) returned 0x1 [0072.670] SetErrorMode (uMode=0x1) returned 0x0 [0072.672] SetErrorMode (uMode=0x0) returned 0x1 [0072.672] GetFileType (hFile=0x30c) returned 0x1 [0072.673] CloseHandle (hObject=0x30c) returned 1 [0072.673] SetErrorMode (uMode=0x1) returned 0x0 [0072.673] SetErrorMode (uMode=0x0) returned 0x1 [0072.673] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.674] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.674] CoTaskMemFree (pv=0x10bd680) [0072.674] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.674] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x66ad98ed, Data2=0x3cd5, Data3=0x47a4, Data4=([0]=0x9f, [1]=0x3f, [2]=0x67, [3]=0x5, [4]=0xca, [5]=0x1e, [6]=0xa4, [7]=0x60))) returned 0x0 [0072.674] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.674] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.674] CoTaskMemFree (pv=0x10bd680) [0072.674] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.674] SetErrorMode (uMode=0x1) returned 0x0 [0072.675] SetErrorMode (uMode=0x0) returned 0x1 [0072.676] SetErrorMode (uMode=0x1) returned 0x0 [0072.676] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60)) returned 1 [0072.676] SetErrorMode (uMode=0x0) returned 0x1 [0072.676] SetErrorMode (uMode=0x1) returned 0x0 [0072.676] SetErrorMode (uMode=0x0) returned 0x1 [0072.676] GetFileType (hFile=0x30c) returned 0x1 [0072.676] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3161 [0072.678] CloseHandle (hObject=0x30c) returned 1 [0072.678] SetErrorMode (uMode=0x1) returned 0x0 [0072.679] SetErrorMode (uMode=0x0) returned 0x1 [0072.680] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-PT\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.680] SetErrorMode (uMode=0x1) returned 0x0 [0072.680] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0)) returned 1 [0072.680] SetErrorMode (uMode=0x0) returned 0x1 [0072.686] SetErrorMode (uMode=0x1) returned 0x0 [0072.686] SetErrorMode (uMode=0x0) returned 0x1 [0072.686] GetFileType (hFile=0x30c) returned 0x1 [0072.686] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45981, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3 [0072.695] CloseHandle (hObject=0x30c) returned 1 [0072.695] SetErrorMode (uMode=0x1) returned 0x0 [0072.696] SetErrorMode (uMode=0x0) returned 0x1 [0072.697] SetErrorMode (uMode=0x1) returned 0x0 [0072.700] SetErrorMode (uMode=0x0) returned 0x1 [0072.700] GetFileType (hFile=0x30c) returned 0x1 [0072.701] CloseHandle (hObject=0x30c) returned 1 [0072.701] SetErrorMode (uMode=0x1) returned 0x0 [0072.701] SetErrorMode (uMode=0x0) returned 0x1 [0072.701] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.701] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.701] CoTaskMemFree (pv=0x10bd680) [0072.701] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.701] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x71bbe3ff, Data2=0x62f5, Data3=0x4ee6, Data4=([0]=0xa1, [1]=0x8f, [2]=0xe3, [3]=0x34, [4]=0x46, [5]=0x61, [6]=0x58, [7]=0x57))) returned 0x0 [0072.701] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0072.701] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.701] CoTaskMemFree (pv=0x10bd8a0) [0072.701] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.701] SetErrorMode (uMode=0x1) returned 0x0 [0072.702] SetErrorMode (uMode=0x0) returned 0x1 [0072.702] SetErrorMode (uMode=0x1) returned 0x0 [0072.702] GetFileAttributesExW (in: lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160)) returned 1 [0072.703] SetErrorMode (uMode=0x0) returned 0x1 [0072.703] SetErrorMode (uMode=0x1) returned 0x0 [0072.703] SetErrorMode (uMode=0x0) returned 0x1 [0072.703] GetFileType (hFile=0x30c) returned 0x1 [0072.703] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2761 [0072.705] CloseHandle (hObject=0x30c) returned 1 [0072.705] SetErrorMode (uMode=0x1) returned 0x0 [0072.706] SetErrorMode (uMode=0x0) returned 0x1 [0072.707] GetFullPathNameW (in: lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\qps-ploc\\memtest.exe.mui", lpFilePart=0x0) returned 0x20 [0072.707] SetErrorMode (uMode=0x1) returned 0x0 [0072.707] GetFileAttributesExW (in: lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398)) returned 1 [0072.707] SetErrorMode (uMode=0x0) returned 0x1 [0072.707] SetErrorMode (uMode=0x1) returned 0x0 [0072.707] SetErrorMode (uMode=0x0) returned 0x1 [0072.707] GetFileType (hFile=0x30c) returned 0x1 [0072.707] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-54054, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x72 [0072.812] CloseHandle (hObject=0x30c) returned 1 [0072.813] SetErrorMode (uMode=0x1) returned 0x0 [0072.813] SetErrorMode (uMode=0x0) returned 0x1 [0072.814] SetErrorMode (uMode=0x1) returned 0x0 [0072.816] SetErrorMode (uMode=0x0) returned 0x1 [0072.816] GetFileType (hFile=0x30c) returned 0x1 [0072.817] CloseHandle (hObject=0x30c) returned 1 [0072.817] SetErrorMode (uMode=0x1) returned 0x0 [0072.817] SetErrorMode (uMode=0x0) returned 0x1 [0072.817] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.817] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.818] CoTaskMemFree (pv=0x10bd680) [0072.818] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.818] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xc2679463, Data2=0xb393, Data3=0x443a, Data4=([0]=0x87, [1]=0x94, [2]=0x67, [3]=0x57, [4]=0xf, [5]=0xcb, [6]=0x74, [7]=0xe5))) returned 0x0 [0072.818] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0072.818] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.818] CoTaskMemFree (pv=0x10bc9c0) [0072.818] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.818] SetErrorMode (uMode=0x1) returned 0x0 [0072.819] SetErrorMode (uMode=0x0) returned 0x1 [0072.819] SetErrorMode (uMode=0x1) returned 0x0 [0072.819] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9abff9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef597530, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x169a0)) returned 1 [0072.819] SetErrorMode (uMode=0x0) returned 0x1 [0072.819] SetErrorMode (uMode=0x1) returned 0x0 [0072.819] SetErrorMode (uMode=0x0) returned 0x1 [0072.819] GetFileType (hFile=0x30c) returned 0x1 [0072.819] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x6fa1 [0072.822] CloseHandle (hObject=0x30c) returned 1 [0072.822] SetErrorMode (uMode=0x1) returned 0x0 [0072.823] SetErrorMode (uMode=0x0) returned 0x1 [0072.823] SetErrorMode (uMode=0x1) returned 0x0 [0072.823] SetErrorMode (uMode=0x0) returned 0x1 [0072.823] GetFileType (hFile=0x30c) returned 0x1 [0072.824] CloseHandle (hObject=0x30c) returned 1 [0072.825] SetErrorMode (uMode=0x1) returned 0x0 [0072.825] SetErrorMode (uMode=0x0) returned 0x1 [0072.825] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0072.825] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.825] CoTaskMemFree (pv=0x10bc9c0) [0072.825] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.825] CoCreateGuid (in: pguid=0xf1e690 | out: pguid=0xf1e690*(Data1=0xe919b8f2, Data2=0xc68e, Data3=0x4ebf, Data4=([0]=0xbe, [1]=0xe6, [2]=0x7f, [3]=0x81, [4]=0x4d, [5]=0xa4, [6]=0x8f, [7]=0x69))) returned 0x0 [0072.825] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0072.825] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.825] CoTaskMemFree (pv=0x10bc9c0) [0072.825] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.825] SetErrorMode (uMode=0x1) returned 0x0 [0072.826] SetErrorMode (uMode=0x0) returned 0x1 [0072.826] SetErrorMode (uMode=0x1) returned 0x0 [0072.826] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e5d0 | out: lpFileInformation=0xf1e5d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0)) returned 1 [0072.826] SetErrorMode (uMode=0x0) returned 0x1 [0072.826] SetErrorMode (uMode=0x1) returned 0x0 [0072.826] SetErrorMode (uMode=0x0) returned 0x1 [0072.826] GetFileType (hFile=0x30c) returned 0x1 [0072.826] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-12168, lpDistanceToMoveHigh=0xf1e6e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e6e0*=0) returned 0x18 [0072.829] CloseHandle (hObject=0x30c) returned 1 [0072.829] SetErrorMode (uMode=0x1) returned 0x0 [0072.829] SetErrorMode (uMode=0x0) returned 0x1 [0072.830] SetErrorMode (uMode=0x1) returned 0x0 [0072.831] SetErrorMode (uMode=0x0) returned 0x1 [0072.831] GetFileType (hFile=0x30c) returned 0x1 [0072.832] CloseHandle (hObject=0x30c) returned 1 [0072.832] SetErrorMode (uMode=0x1) returned 0x0 [0072.832] SetErrorMode (uMode=0x0) returned 0x1 [0072.832] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.832] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.832] CoTaskMemFree (pv=0x10bd680) [0072.832] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.832] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x5903a6c, Data2=0xf7f2, Data3=0x4a2b, Data4=([0]=0x81, [1]=0x72, [2]=0x1c, [3]=0x21, [4]=0xf0, [5]=0x41, [6]=0x33, [7]=0x94))) returned 0x0 [0072.832] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0072.832] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.832] CoTaskMemFree (pv=0x10bc9c0) [0072.832] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.832] SetErrorMode (uMode=0x1) returned 0x0 [0072.833] SetErrorMode (uMode=0x0) returned 0x1 [0072.833] SetErrorMode (uMode=0x1) returned 0x0 [0072.833] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960)) returned 1 [0072.833] SetErrorMode (uMode=0x0) returned 0x1 [0072.833] SetErrorMode (uMode=0x1) returned 0x0 [0072.833] SetErrorMode (uMode=0x0) returned 0x1 [0072.833] GetFileType (hFile=0x30c) returned 0x1 [0072.833] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2f61 [0072.835] CloseHandle (hObject=0x30c) returned 1 [0072.836] SetErrorMode (uMode=0x1) returned 0x0 [0072.836] SetErrorMode (uMode=0x0) returned 0x1 [0072.837] SetErrorMode (uMode=0x1) returned 0x0 [0072.837] SetErrorMode (uMode=0x0) returned 0x1 [0072.837] GetFileType (hFile=0x30c) returned 0x1 [0072.838] CloseHandle (hObject=0x30c) returned 1 [0072.838] SetErrorMode (uMode=0x1) returned 0x0 [0072.839] SetErrorMode (uMode=0x0) returned 0x1 [0072.839] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0072.839] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.839] CoTaskMemFree (pv=0x10bc9c0) [0072.839] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.839] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x23835f6c, Data2=0x8169, Data3=0x414e, Data4=([0]=0x94, [1]=0xae, [2]=0x8, [3]=0x57, [4]=0x70, [5]=0x94, [6]=0x57, [7]=0x66))) returned 0x0 [0072.840] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.840] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.840] CoTaskMemFree (pv=0x10bd680) [0072.840] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.840] SetErrorMode (uMode=0x1) returned 0x0 [0072.840] SetErrorMode (uMode=0x0) returned 0x1 [0072.841] SetErrorMode (uMode=0x1) returned 0x0 [0072.841] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60)) returned 1 [0072.841] SetErrorMode (uMode=0x0) returned 0x1 [0072.841] SetErrorMode (uMode=0x1) returned 0x0 [0072.841] SetErrorMode (uMode=0x0) returned 0x1 [0072.841] GetFileType (hFile=0x30c) returned 0x1 [0072.841] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3361 [0072.843] CloseHandle (hObject=0x30c) returned 1 [0072.843] SetErrorMode (uMode=0x1) returned 0x0 [0072.844] SetErrorMode (uMode=0x0) returned 0x1 [0072.844] GetFullPathNameW (in: lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ru-RU\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.844] SetErrorMode (uMode=0x1) returned 0x0 [0072.844] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0)) returned 1 [0072.844] SetErrorMode (uMode=0x0) returned 0x1 [0072.844] SetErrorMode (uMode=0x1) returned 0x0 [0072.845] SetErrorMode (uMode=0x0) returned 0x1 [0072.845] GetFileType (hFile=0x30c) returned 0x1 [0072.845] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-44928, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x20 [0072.846] CloseHandle (hObject=0x30c) returned 1 [0072.846] SetErrorMode (uMode=0x1) returned 0x0 [0072.847] SetErrorMode (uMode=0x0) returned 0x1 [0072.847] SetErrorMode (uMode=0x1) returned 0x0 [0072.849] SetErrorMode (uMode=0x0) returned 0x1 [0072.849] GetFileType (hFile=0x30c) returned 0x1 [0072.850] CloseHandle (hObject=0x30c) returned 1 [0072.850] SetErrorMode (uMode=0x1) returned 0x0 [0072.851] SetErrorMode (uMode=0x0) returned 0x1 [0072.851] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.851] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.851] CoTaskMemFree (pv=0x10bd680) [0072.851] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.851] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xdab08ac2, Data2=0x6bed, Data3=0x457d, Data4=([0]=0xbe, [1]=0xf0, [2]=0x76, [3]=0x1a, [4]=0x7, [5]=0xe4, [6]=0x9a, [7]=0x28))) returned 0x0 [0072.851] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.851] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.851] CoTaskMemFree (pv=0x10bd680) [0072.851] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.851] SetErrorMode (uMode=0x1) returned 0x0 [0072.851] SetErrorMode (uMode=0x0) returned 0x1 [0072.851] SetErrorMode (uMode=0x1) returned 0x0 [0072.852] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58)) returned 1 [0072.918] SetErrorMode (uMode=0x0) returned 0x1 [0072.918] SetErrorMode (uMode=0x1) returned 0x0 [0072.918] SetErrorMode (uMode=0x0) returned 0x1 [0072.918] GetFileType (hFile=0x30c) returned 0x1 [0072.918] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3359 [0072.920] CloseHandle (hObject=0x30c) returned 1 [0072.921] SetErrorMode (uMode=0x1) returned 0x0 [0072.922] SetErrorMode (uMode=0x0) returned 0x1 [0072.922] SetErrorMode (uMode=0x1) returned 0x0 [0072.923] SetErrorMode (uMode=0x0) returned 0x1 [0072.923] GetFileType (hFile=0x30c) returned 0x1 [0072.924] CloseHandle (hObject=0x30c) returned 1 [0072.924] SetErrorMode (uMode=0x1) returned 0x0 [0072.924] SetErrorMode (uMode=0x0) returned 0x1 [0072.924] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0072.924] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.924] CoTaskMemFree (pv=0x10bc9c0) [0072.925] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.925] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x6533ad7f, Data2=0x8514, Data3=0x453a, Data4=([0]=0x80, [1]=0x3d, [2]=0x11, [3]=0x39, [4]=0xd0, [5]=0xeb, [6]=0x3a, [7]=0xb0))) returned 0x0 [0072.925] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.925] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.925] CoTaskMemFree (pv=0x10bd680) [0072.925] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.925] SetErrorMode (uMode=0x1) returned 0x0 [0072.925] SetErrorMode (uMode=0x0) returned 0x1 [0072.925] SetErrorMode (uMode=0x1) returned 0x0 [0072.925] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60)) returned 1 [0072.925] SetErrorMode (uMode=0x0) returned 0x1 [0072.925] SetErrorMode (uMode=0x1) returned 0x0 [0072.926] SetErrorMode (uMode=0x0) returned 0x1 [0072.926] GetFileType (hFile=0x30c) returned 0x1 [0072.926] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3161 [0072.927] CloseHandle (hObject=0x30c) returned 1 [0072.927] SetErrorMode (uMode=0x1) returned 0x0 [0072.928] SetErrorMode (uMode=0x0) returned 0x1 [0072.929] SetErrorMode (uMode=0x1) returned 0x0 [0072.929] SetErrorMode (uMode=0x0) returned 0x1 [0072.929] GetFileType (hFile=0x30c) returned 0x1 [0072.930] CloseHandle (hObject=0x30c) returned 1 [0072.930] SetErrorMode (uMode=0x1) returned 0x0 [0072.931] SetErrorMode (uMode=0x0) returned 0x1 [0072.931] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.931] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.931] CoTaskMemFree (pv=0x10bd680) [0072.931] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.931] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x754db013, Data2=0xc41d, Data3=0x4277, Data4=([0]=0x80, [1]=0x5e, [2]=0x1, [3]=0x4e, [4]=0xd4, [5]=0x42, [6]=0xd6, [7]=0x35))) returned 0x0 [0072.931] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.931] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.931] CoTaskMemFree (pv=0x10bd680) [0072.931] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.931] SetErrorMode (uMode=0x1) returned 0x0 [0072.931] SetErrorMode (uMode=0x0) returned 0x1 [0072.931] SetErrorMode (uMode=0x1) returned 0x0 [0072.931] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60)) returned 1 [0072.932] SetErrorMode (uMode=0x0) returned 0x1 [0072.932] SetErrorMode (uMode=0x1) returned 0x0 [0072.932] SetErrorMode (uMode=0x0) returned 0x1 [0072.932] GetFileType (hFile=0x30c) returned 0x1 [0072.932] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3361 [0072.934] CloseHandle (hObject=0x30c) returned 1 [0072.934] SetErrorMode (uMode=0x1) returned 0x0 [0072.935] SetErrorMode (uMode=0x0) returned 0x1 [0072.935] GetFullPathNameW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui", lpFilePart=0x0) returned 0x22 [0072.936] SetErrorMode (uMode=0x1) returned 0x0 [0072.936] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58)) returned 1 [0072.936] SetErrorMode (uMode=0x0) returned 0x1 [0072.936] SetErrorMode (uMode=0x1) returned 0x0 [0072.936] SetErrorMode (uMode=0x0) returned 0x1 [0072.936] GetFileType (hFile=0x30c) returned 0x1 [0072.936] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-44811, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4d [0072.939] CloseHandle (hObject=0x30c) returned 1 [0072.939] SetErrorMode (uMode=0x1) returned 0x0 [0072.939] SetErrorMode (uMode=0x0) returned 0x1 [0072.940] SetErrorMode (uMode=0x1) returned 0x0 [0072.941] SetErrorMode (uMode=0x0) returned 0x1 [0072.941] GetFileType (hFile=0x30c) returned 0x1 [0072.942] CloseHandle (hObject=0x30c) returned 1 [0072.943] SetErrorMode (uMode=0x1) returned 0x0 [0072.943] SetErrorMode (uMode=0x0) returned 0x1 [0072.943] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.943] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.943] CoTaskMemFree (pv=0x10bd680) [0072.943] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.943] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xb43df436, Data2=0xbc8b, Data3=0x47ed, Data4=([0]=0xa4, [1]=0x40, [2]=0x91, [3]=0x19, [4]=0x71, [5]=0xf6, [6]=0xb9, [7]=0xef))) returned 0x0 [0072.943] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0072.943] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.943] CoTaskMemFree (pv=0x10bd8a0) [0072.943] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.943] SetErrorMode (uMode=0x1) returned 0x0 [0072.944] SetErrorMode (uMode=0x0) returned 0x1 [0072.944] SetErrorMode (uMode=0x1) returned 0x0 [0072.944] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60)) returned 1 [0072.944] SetErrorMode (uMode=0x0) returned 0x1 [0072.944] SetErrorMode (uMode=0x1) returned 0x0 [0072.944] SetErrorMode (uMode=0x0) returned 0x1 [0072.944] GetFileType (hFile=0x30c) returned 0x1 [0072.944] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3361 [0072.946] CloseHandle (hObject=0x30c) returned 1 [0072.946] SetErrorMode (uMode=0x1) returned 0x0 [0072.947] SetErrorMode (uMode=0x0) returned 0x1 [0072.947] SetErrorMode (uMode=0x1) returned 0x0 [0072.948] SetErrorMode (uMode=0x0) returned 0x1 [0072.948] GetFileType (hFile=0x30c) returned 0x1 [0072.949] CloseHandle (hObject=0x30c) returned 1 [0072.949] SetErrorMode (uMode=0x1) returned 0x0 [0072.949] SetErrorMode (uMode=0x0) returned 0x1 [0072.949] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0072.949] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0072.949] CoTaskMemFree (pv=0x10bd680) [0072.949] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0072.949] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x8d9edc37, Data2=0xd9b3, Data3=0x4c0f, Data4=([0]=0xa0, [1]=0x36, [2]=0xdc, [3]=0x99, [4]=0x4b, [5]=0x43, [6]=0x26, [7]=0xe7))) returned 0x0 [0072.949] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0072.949] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0072.949] CoTaskMemFree (pv=0x10bc9c0) [0072.949] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0072.949] SetErrorMode (uMode=0x1) returned 0x0 [0072.950] SetErrorMode (uMode=0x0) returned 0x1 [0072.950] SetErrorMode (uMode=0x1) returned 0x0 [0072.950] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960)) returned 1 [0072.951] SetErrorMode (uMode=0x0) returned 0x1 [0072.951] SetErrorMode (uMode=0x1) returned 0x0 [0072.951] SetErrorMode (uMode=0x0) returned 0x1 [0072.951] GetFileType (hFile=0x30c) returned 0x1 [0072.951] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2f61 [0072.953] CloseHandle (hObject=0x30c) returned 1 [0072.953] SetErrorMode (uMode=0x1) returned 0x0 [0072.954] SetErrorMode (uMode=0x0) returned 0x1 [0072.954] GetFullPathNameW (in: lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\sv-SE\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0072.954] SetErrorMode (uMode=0x1) returned 0x0 [0072.954] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98)) returned 1 [0072.954] SetErrorMode (uMode=0x0) returned 0x1 [0072.955] SetErrorMode (uMode=0x1) returned 0x0 [0072.955] SetErrorMode (uMode=0x0) returned 0x1 [0072.955] GetFileType (hFile=0x30c) returned 0x1 [0072.955] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-44928, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x18 [0073.006] CloseHandle (hObject=0x30c) returned 1 [0073.006] SetErrorMode (uMode=0x1) returned 0x0 [0073.119] SetErrorMode (uMode=0x0) returned 0x1 [0073.119] SetErrorMode (uMode=0x1) returned 0x0 [0073.122] SetErrorMode (uMode=0x0) returned 0x1 [0073.122] GetFileType (hFile=0x30c) returned 0x1 [0073.123] CloseHandle (hObject=0x30c) returned 1 [0073.123] SetErrorMode (uMode=0x1) returned 0x0 [0073.123] SetErrorMode (uMode=0x0) returned 0x1 [0073.123] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0073.123] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0073.123] CoTaskMemFree (pv=0x10bc9c0) [0073.123] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0073.123] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xbe073a16, Data2=0x435a, Data3=0x46f5, Data4=([0]=0xaa, [1]=0x92, [2]=0xf, [3]=0xd8, [4]=0x5, [5]=0xe6, [6]=0x3f, [7]=0x5b))) returned 0x0 [0073.124] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0073.124] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0073.124] CoTaskMemFree (pv=0x10bd8a0) [0073.124] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0073.124] SetErrorMode (uMode=0x1) returned 0x0 [0073.125] SetErrorMode (uMode=0x0) returned 0x1 [0073.125] SetErrorMode (uMode=0x1) returned 0x0 [0073.125] GetFileAttributesExW (in: lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558)) returned 1 [0073.126] SetErrorMode (uMode=0x0) returned 0x1 [0073.126] SetErrorMode (uMode=0x1) returned 0x0 [0073.126] SetErrorMode (uMode=0x0) returned 0x1 [0073.126] GetFileType (hFile=0x30c) returned 0x1 [0073.126] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2b59 [0073.137] CloseHandle (hObject=0x30c) returned 1 [0073.138] SetErrorMode (uMode=0x1) returned 0x0 [0073.138] SetErrorMode (uMode=0x0) returned 0x1 [0073.139] GetFullPathNameW (in: lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\tr-TR\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0073.139] SetErrorMode (uMode=0x1) returned 0x0 [0073.139] GetFileAttributesExW (in: lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0)) returned 1 [0073.139] SetErrorMode (uMode=0x0) returned 0x1 [0073.139] SetErrorMode (uMode=0x1) returned 0x0 [0073.139] SetErrorMode (uMode=0x0) returned 0x1 [0073.139] GetFileType (hFile=0x30c) returned 0x1 [0073.139] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-45396, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4c [0073.142] CloseHandle (hObject=0x30c) returned 1 [0073.142] SetErrorMode (uMode=0x1) returned 0x0 [0073.143] SetErrorMode (uMode=0x0) returned 0x1 [0073.143] SetErrorMode (uMode=0x1) returned 0x0 [0073.144] SetErrorMode (uMode=0x0) returned 0x1 [0073.144] GetFileType (hFile=0x30c) returned 0x1 [0073.145] CloseHandle (hObject=0x30c) returned 1 [0073.146] SetErrorMode (uMode=0x1) returned 0x0 [0073.146] SetErrorMode (uMode=0x0) returned 0x1 [0073.146] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0073.146] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0073.146] CoTaskMemFree (pv=0x10bd680) [0073.146] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0073.146] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x387d5f94, Data2=0xad68, Data3=0x4dfe, Data4=([0]=0x99, [1]=0x6e, [2]=0xf, [3]=0x71, [4]=0xa4, [5]=0x11, [6]=0x32, [7]=0x30))) returned 0x0 [0073.146] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0073.146] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0073.146] CoTaskMemFree (pv=0x10be120) [0073.146] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0073.146] SetErrorMode (uMode=0x1) returned 0x0 [0073.147] SetErrorMode (uMode=0x0) returned 0x1 [0073.147] SetErrorMode (uMode=0x1) returned 0x0 [0073.147] GetFileAttributesExW (in: lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60)) returned 1 [0073.147] SetErrorMode (uMode=0x0) returned 0x1 [0073.147] SetErrorMode (uMode=0x1) returned 0x0 [0073.147] SetErrorMode (uMode=0x0) returned 0x1 [0073.147] GetFileType (hFile=0x30c) returned 0x1 [0073.147] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3361 [0073.149] CloseHandle (hObject=0x30c) returned 1 [0073.149] SetErrorMode (uMode=0x1) returned 0x0 [0073.150] SetErrorMode (uMode=0x0) returned 0x1 [0073.150] SetErrorMode (uMode=0x1) returned 0x0 [0073.151] SetErrorMode (uMode=0x0) returned 0x1 [0073.151] GetFileType (hFile=0x30c) returned 0x1 [0073.152] CloseHandle (hObject=0x30c) returned 1 [0073.152] SetErrorMode (uMode=0x1) returned 0x0 [0073.152] SetErrorMode (uMode=0x0) returned 0x1 [0073.152] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0073.152] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0073.152] CoTaskMemFree (pv=0x10be120) [0073.152] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0073.152] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x24195f7f, Data2=0x8506, Data3=0x49b2, Data4=([0]=0xa8, [1]=0x6a, [2]=0x45, [3]=0xd5, [4]=0x5, [5]=0x2d, [6]=0x3b, [7]=0x7c))) returned 0x0 [0073.152] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0073.152] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0073.152] CoTaskMemFree (pv=0x10bd680) [0073.152] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0073.152] SetErrorMode (uMode=0x1) returned 0x0 [0073.153] SetErrorMode (uMode=0x0) returned 0x1 [0073.153] SetErrorMode (uMode=0x1) returned 0x0 [0073.153] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960)) returned 1 [0073.154] SetErrorMode (uMode=0x0) returned 0x1 [0073.154] SetErrorMode (uMode=0x1) returned 0x0 [0073.154] SetErrorMode (uMode=0x0) returned 0x1 [0073.154] GetFileType (hFile=0x30c) returned 0x1 [0073.154] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63765, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0073.157] CloseHandle (hObject=0x30c) returned 1 [0073.157] SetErrorMode (uMode=0x1) returned 0x0 [0073.158] SetErrorMode (uMode=0x0) returned 0x1 [0073.158] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-CN\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0073.158] SetErrorMode (uMode=0x1) returned 0x0 [0073.158] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0)) returned 1 [0073.158] SetErrorMode (uMode=0x0) returned 0x1 [0073.159] SetErrorMode (uMode=0x1) returned 0x0 [0073.159] SetErrorMode (uMode=0x0) returned 0x1 [0073.159] GetFileType (hFile=0x30c) returned 0x1 [0073.159] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-42354, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x2e [0073.160] CloseHandle (hObject=0x30c) returned 1 [0073.160] SetErrorMode (uMode=0x1) returned 0x0 [0073.161] SetErrorMode (uMode=0x0) returned 0x1 [0073.161] SetErrorMode (uMode=0x1) returned 0x0 [0073.163] SetErrorMode (uMode=0x0) returned 0x1 [0073.163] GetFileType (hFile=0x30c) returned 0x1 [0073.164] CloseHandle (hObject=0x30c) returned 1 [0073.164] SetErrorMode (uMode=0x1) returned 0x0 [0073.165] SetErrorMode (uMode=0x0) returned 0x1 [0073.165] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0073.165] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0073.165] CoTaskMemFree (pv=0x10bd680) [0073.165] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0073.165] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0xe6cb90c6, Data2=0x4741, Data3=0x4d54, Data4=([0]=0x9e, [1]=0x4, [2]=0x69, [3]=0x50, [4]=0xae, [5]=0xf, [6]=0x5, [7]=0x4a))) returned 0x0 [0073.165] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0073.165] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0073.165] CoTaskMemFree (pv=0x10bd680) [0073.165] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0073.165] SetErrorMode (uMode=0x1) returned 0x0 [0073.165] SetErrorMode (uMode=0x0) returned 0x1 [0073.165] SetErrorMode (uMode=0x1) returned 0x0 [0073.166] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958)) returned 1 [0073.217] SetErrorMode (uMode=0x0) returned 0x1 [0073.217] SetErrorMode (uMode=0x1) returned 0x0 [0073.217] SetErrorMode (uMode=0x0) returned 0x1 [0073.217] GetFileType (hFile=0x30c) returned 0x1 [0073.217] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63765, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x43 [0073.219] CloseHandle (hObject=0x30c) returned 1 [0073.219] SetErrorMode (uMode=0x1) returned 0x0 [0073.220] SetErrorMode (uMode=0x0) returned 0x1 [0073.220] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-HK\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0073.220] SetErrorMode (uMode=0x1) returned 0x0 [0073.220] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558)) returned 1 [0073.221] SetErrorMode (uMode=0x0) returned 0x1 [0073.221] SetErrorMode (uMode=0x1) returned 0x0 [0073.221] SetErrorMode (uMode=0x0) returned 0x1 [0073.221] GetFileType (hFile=0x30c) returned 0x1 [0073.221] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-42237, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x5b [0073.223] CloseHandle (hObject=0x30c) returned 1 [0073.223] SetErrorMode (uMode=0x1) returned 0x0 [0073.224] SetErrorMode (uMode=0x0) returned 0x1 [0073.224] SetErrorMode (uMode=0x1) returned 0x0 [0073.226] SetErrorMode (uMode=0x0) returned 0x1 [0073.226] GetFileType (hFile=0x30c) returned 0x1 [0073.227] CloseHandle (hObject=0x30c) returned 1 [0073.227] SetErrorMode (uMode=0x1) returned 0x0 [0073.227] SetErrorMode (uMode=0x0) returned 0x1 [0073.227] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0073.227] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0073.227] CoTaskMemFree (pv=0x10bc9c0) [0073.228] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0073.228] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x4fcc124d, Data2=0x6d5f, Data3=0x4665, Data4=([0]=0xa6, [1]=0x5a, [2]=0x79, [3]=0x38, [4]=0x4a, [5]=0x45, [6]=0x8f, [7]=0x33))) returned 0x0 [0073.228] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0073.228] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0073.228] CoTaskMemFree (pv=0x10be120) [0073.228] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0073.228] SetErrorMode (uMode=0x1) returned 0x0 [0073.228] SetErrorMode (uMode=0x0) returned 0x1 [0073.228] SetErrorMode (uMode=0x1) returned 0x0 [0073.228] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960)) returned 1 [0073.228] SetErrorMode (uMode=0x0) returned 0x1 [0073.229] SetErrorMode (uMode=0x1) returned 0x0 [0073.229] SetErrorMode (uMode=0x0) returned 0x1 [0073.229] GetFileType (hFile=0x30c) returned 0x1 [0073.229] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63765, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x4b [0073.231] CloseHandle (hObject=0x30c) returned 1 [0073.231] SetErrorMode (uMode=0x1) returned 0x0 [0073.232] SetErrorMode (uMode=0x0) returned 0x1 [0073.232] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-TW\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0073.232] SetErrorMode (uMode=0x1) returned 0x0 [0073.232] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598)) returned 1 [0073.232] SetErrorMode (uMode=0x0) returned 0x1 [0073.232] SetErrorMode (uMode=0x1) returned 0x0 [0073.232] SetErrorMode (uMode=0x0) returned 0x1 [0073.232] GetFileType (hFile=0x30c) returned 0x1 [0073.232] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-42354, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x26 [0073.234] CloseHandle (hObject=0x30c) returned 1 [0073.234] SetErrorMode (uMode=0x1) returned 0x0 [0073.235] SetErrorMode (uMode=0x0) returned 0x1 [0073.235] SetErrorMode (uMode=0x1) returned 0x0 [0073.237] SetErrorMode (uMode=0x0) returned 0x1 [0073.237] GetFileType (hFile=0x30c) returned 0x1 [0073.238] CloseHandle (hObject=0x30c) returned 1 [0073.238] SetErrorMode (uMode=0x1) returned 0x0 [0073.238] SetErrorMode (uMode=0x0) returned 0x1 [0073.238] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0073.238] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0073.238] CoTaskMemFree (pv=0x10bd680) [0073.238] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0073.238] CoCreateGuid (in: pguid=0xf1e810 | out: pguid=0xf1e810*(Data1=0xc4863585, Data2=0xdb5d, Data3=0x4e41, Data4=([0]=0xa8, [1]=0xaa, [2]=0x88, [3]=0x7c, [4]=0xc6, [5]=0x87, [6]=0xc9, [7]=0x30))) returned 0x0 [0073.239] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0073.239] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0073.239] CoTaskMemFree (pv=0x10bc9c0) [0073.239] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0073.239] SetErrorMode (uMode=0x1) returned 0x0 [0073.241] SetErrorMode (uMode=0x0) returned 0x1 [0073.241] SetErrorMode (uMode=0x1) returned 0x0 [0073.242] SetErrorMode (uMode=0x0) returned 0x1 [0073.242] GetFileType (hFile=0x30c) returned 0x1 [0073.243] CloseHandle (hObject=0x30c) returned 1 [0073.243] SetErrorMode (uMode=0x1) returned 0x0 [0073.244] SetErrorMode (uMode=0x0) returned 0x1 [0073.245] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0073.245] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0073.245] CoTaskMemFree (pv=0x10bc9c0) [0073.245] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0073.245] CoCreateGuid (in: pguid=0xf1e810 | out: pguid=0xf1e810*(Data1=0xa5d6ff7e, Data2=0x15cc, Data3=0x4065, Data4=([0]=0x81, [1]=0x80, [2]=0x85, [3]=0xa1, [4]=0xb3, [5]=0x5b, [6]=0xf4, [7]=0xad))) returned 0x0 [0073.245] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0073.245] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0073.245] CoTaskMemFree (pv=0x10bd680) [0073.245] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0073.245] SetErrorMode (uMode=0x1) returned 0x0 [0073.248] SetErrorMode (uMode=0x0) returned 0x1 [0073.248] SetErrorMode (uMode=0x1) returned 0x0 [0073.248] SetErrorMode (uMode=0x0) returned 0x1 [0073.248] GetFileType (hFile=0x30c) returned 0x1 [0073.253] CloseHandle (hObject=0x30c) returned 1 [0073.253] SetErrorMode (uMode=0x1) returned 0x0 [0073.253] SetErrorMode (uMode=0x0) returned 0x1 [0073.253] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0073.253] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0073.253] CoTaskMemFree (pv=0x10be120) [0073.253] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0073.254] CoCreateGuid (in: pguid=0xf1e810 | out: pguid=0xf1e810*(Data1=0x2ae576ab, Data2=0x7f86, Data3=0x4df4, Data4=([0]=0x80, [1]=0xaa, [2]=0xf4, [3]=0xec, [4]=0xa8, [5]=0x92, [6]=0xbe, [7]=0x88))) returned 0x0 [0073.254] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0073.254] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0073.254] CoTaskMemFree (pv=0x10bd8a0) [0073.254] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0073.254] SetErrorMode (uMode=0x1) returned 0x0 [0073.324] SetErrorMode (uMode=0x0) returned 0x1 [0073.325] SetErrorMode (uMode=0x1) returned 0x0 [0073.325] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0073.327] SetErrorMode (uMode=0x0) returned 0x1 [0073.327] SetErrorMode (uMode=0x1) returned 0x0 [0073.327] SetErrorMode (uMode=0x0) returned 0x1 [0073.327] GetFileType (hFile=0x30c) returned 0x1 [0073.327] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0073.329] CloseHandle (hObject=0x30c) returned 1 [0073.329] SetErrorMode (uMode=0x1) returned 0x0 [0073.329] SetErrorMode (uMode=0x0) returned 0x1 [0073.329] GetFileType (hFile=0x30c) returned 0x1 [0073.329] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0073.332] CloseHandle (hObject=0x30c) returned 1 [0073.351] SetErrorMode (uMode=0x1) returned 0x0 [0073.352] SetErrorMode (uMode=0x0) returned 0x1 [0073.352] GetFileType (hFile=0x30c) returned 0x1 [0073.352] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0073.354] CloseHandle (hObject=0x30c) returned 1 [0073.354] SetErrorMode (uMode=0x1) returned 0x0 [0073.354] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1c75d41, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0073.354] SetErrorMode (uMode=0x0) returned 0x1 [0073.355] MoveFileW (lpExistingFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), lpNewFileName="C:\\Logs\\Application.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\application.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0073.355] SetErrorMode (uMode=0x1) returned 0x0 [0073.355] GetFileAttributesExW (in: lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0073.356] SetErrorMode (uMode=0x0) returned 0x1 [0073.356] SetErrorMode (uMode=0x1) returned 0x0 [0073.356] SetErrorMode (uMode=0x0) returned 0x1 [0073.356] GetFileType (hFile=0x30c) returned 0x1 [0073.356] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0073.358] CloseHandle (hObject=0x30c) returned 1 [0073.358] SetErrorMode (uMode=0x1) returned 0x0 [0073.358] SetErrorMode (uMode=0x0) returned 0x1 [0073.358] GetFileType (hFile=0x30c) returned 0x1 [0073.358] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0073.361] CloseHandle (hObject=0x30c) returned 1 [0073.443] SetErrorMode (uMode=0x1) returned 0x0 [0073.443] SetErrorMode (uMode=0x0) returned 0x1 [0073.443] GetFileType (hFile=0x30c) returned 0x1 [0073.443] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0073.446] CloseHandle (hObject=0x30c) returned 1 [0073.446] SetErrorMode (uMode=0x1) returned 0x0 [0073.446] GetFileAttributesExW (in: lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1d5ab4f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0073.446] SetErrorMode (uMode=0x0) returned 0x1 [0073.446] MoveFileW (lpExistingFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), lpNewFileName="C:\\Logs\\HardwareEvents.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\hardwareevents.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0073.447] SetErrorMode (uMode=0x1) returned 0x0 [0073.447] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0073.447] SetErrorMode (uMode=0x0) returned 0x1 [0073.447] SetErrorMode (uMode=0x1) returned 0x0 [0073.447] SetErrorMode (uMode=0x0) returned 0x1 [0073.447] GetFileType (hFile=0x30c) returned 0x1 [0073.447] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0073.449] CloseHandle (hObject=0x30c) returned 1 [0073.449] SetErrorMode (uMode=0x1) returned 0x0 [0073.449] SetErrorMode (uMode=0x0) returned 0x1 [0073.449] GetFileType (hFile=0x30c) returned 0x1 [0073.449] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0073.452] CloseHandle (hObject=0x30c) returned 1 [0073.464] SetErrorMode (uMode=0x1) returned 0x0 [0073.464] SetErrorMode (uMode=0x0) returned 0x1 [0073.464] GetFileType (hFile=0x30c) returned 0x1 [0073.464] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0073.627] CloseHandle (hObject=0x30c) returned 1 [0073.627] SetErrorMode (uMode=0x1) returned 0x0 [0073.627] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1f24791, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0073.627] SetErrorMode (uMode=0x0) returned 0x1 [0073.627] MoveFileW (lpExistingFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), lpNewFileName="C:\\Logs\\Internet Explorer.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\internet explorer.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0073.628] SetErrorMode (uMode=0x1) returned 0x0 [0073.628] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0073.628] SetErrorMode (uMode=0x0) returned 0x1 [0073.628] SetErrorMode (uMode=0x1) returned 0x0 [0073.628] SetErrorMode (uMode=0x0) returned 0x1 [0073.628] GetFileType (hFile=0x30c) returned 0x1 [0073.628] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0073.630] CloseHandle (hObject=0x30c) returned 1 [0073.630] SetErrorMode (uMode=0x1) returned 0x0 [0073.631] SetErrorMode (uMode=0x0) returned 0x1 [0073.631] GetFileType (hFile=0x30c) returned 0x1 [0073.631] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0073.633] CloseHandle (hObject=0x30c) returned 1 [0073.647] SetErrorMode (uMode=0x1) returned 0x0 [0073.647] SetErrorMode (uMode=0x0) returned 0x1 [0073.647] GetFileType (hFile=0x30c) returned 0x1 [0073.647] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0073.649] CloseHandle (hObject=0x30c) returned 1 [0073.649] SetErrorMode (uMode=0x1) returned 0x0 [0073.650] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1f4a9e4, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0073.650] SetErrorMode (uMode=0x0) returned 0x1 [0073.650] MoveFileW (lpExistingFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), lpNewFileName="C:\\Logs\\Key Management Service.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\key management service.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0073.650] SetErrorMode (uMode=0x1) returned 0x0 [0073.650] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0073.650] SetErrorMode (uMode=0x0) returned 0x1 [0073.651] SetErrorMode (uMode=0x1) returned 0x0 [0073.651] SetErrorMode (uMode=0x0) returned 0x1 [0073.651] GetFileType (hFile=0x30c) returned 0x1 [0073.651] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0073.671] CloseHandle (hObject=0x30c) returned 1 [0073.672] SetErrorMode (uMode=0x1) returned 0x0 [0073.672] SetErrorMode (uMode=0x0) returned 0x1 [0073.672] GetFileType (hFile=0x30c) returned 0x1 [0073.672] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0073.674] CloseHandle (hObject=0x30c) returned 1 [0073.687] SetErrorMode (uMode=0x1) returned 0x0 [0073.687] SetErrorMode (uMode=0x0) returned 0x1 [0073.687] GetFileType (hFile=0x30c) returned 0x1 [0073.687] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0073.690] CloseHandle (hObject=0x30c) returned 1 [0073.690] SetErrorMode (uMode=0x1) returned 0x0 [0073.690] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1fbd248, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0073.690] SetErrorMode (uMode=0x0) returned 0x1 [0073.690] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0073.691] SetErrorMode (uMode=0x1) returned 0x0 [0073.691] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0073.692] SetErrorMode (uMode=0x0) returned 0x1 [0073.692] SetErrorMode (uMode=0x1) returned 0x0 [0073.692] SetErrorMode (uMode=0x0) returned 0x1 [0073.692] GetFileType (hFile=0x30c) returned 0x1 [0073.692] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0073.694] CloseHandle (hObject=0x30c) returned 1 [0073.694] SetErrorMode (uMode=0x1) returned 0x0 [0073.694] SetErrorMode (uMode=0x0) returned 0x1 [0073.694] GetFileType (hFile=0x30c) returned 0x1 [0073.694] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0073.696] CloseHandle (hObject=0x30c) returned 1 [0073.709] SetErrorMode (uMode=0x1) returned 0x0 [0073.709] SetErrorMode (uMode=0x0) returned 0x1 [0073.709] GetFileType (hFile=0x30c) returned 0x1 [0073.709] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0073.714] CloseHandle (hObject=0x30c) returned 1 [0073.714] SetErrorMode (uMode=0x1) returned 0x0 [0073.714] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1fe332e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0073.714] SetErrorMode (uMode=0x0) returned 0x1 [0073.714] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0073.715] SetErrorMode (uMode=0x1) returned 0x0 [0073.715] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9c0f529, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000)) returned 1 [0073.739] SetErrorMode (uMode=0x0) returned 0x1 [0073.739] SetErrorMode (uMode=0x1) returned 0x0 [0073.739] SetErrorMode (uMode=0x0) returned 0x1 [0073.739] GetFileType (hFile=0x30c) returned 0x1 [0073.739] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xf1601 [0073.744] CloseHandle (hObject=0x30c) returned 1 [0073.744] SetErrorMode (uMode=0x1) returned 0x0 [0073.744] SetErrorMode (uMode=0x0) returned 0x1 [0073.744] GetFileType (hFile=0x30c) returned 0x1 [0073.744] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x101000 [0073.748] CloseHandle (hObject=0x30c) returned 1 [0073.761] SetErrorMode (uMode=0x1) returned 0x0 [0073.761] SetErrorMode (uMode=0x0) returned 0x1 [0073.761] GetFileType (hFile=0x30c) returned 0x1 [0073.761] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0xf1601 [0073.764] CloseHandle (hObject=0x30c) returned 1 [0073.764] SetErrorMode (uMode=0x1) returned 0x0 [0073.764] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2055a92, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0)) returned 1 [0073.764] SetErrorMode (uMode=0x0) returned 0x1 [0073.764] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0073.765] SetErrorMode (uMode=0x1) returned 0x0 [0073.765] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0073.766] SetErrorMode (uMode=0x0) returned 0x1 [0073.766] SetErrorMode (uMode=0x1) returned 0x0 [0073.766] SetErrorMode (uMode=0x0) returned 0x1 [0073.766] GetFileType (hFile=0x30c) returned 0x1 [0073.766] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0073.768] CloseHandle (hObject=0x30c) returned 1 [0073.768] SetErrorMode (uMode=0x1) returned 0x0 [0073.768] SetErrorMode (uMode=0x0) returned 0x1 [0073.768] GetFileType (hFile=0x30c) returned 0x1 [0073.768] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0073.770] CloseHandle (hObject=0x30c) returned 1 [0073.824] SetErrorMode (uMode=0x1) returned 0x0 [0073.824] SetErrorMode (uMode=0x0) returned 0x1 [0073.824] GetFileType (hFile=0x30c) returned 0x1 [0073.824] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0073.827] CloseHandle (hObject=0x30c) returned 1 [0073.828] SetErrorMode (uMode=0x1) returned 0x0 [0073.828] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe20ee47b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0073.828] SetErrorMode (uMode=0x0) returned 0x1 [0073.828] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0073.829] SetErrorMode (uMode=0x1) returned 0x0 [0073.829] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0073.829] SetErrorMode (uMode=0x0) returned 0x1 [0073.829] SetErrorMode (uMode=0x1) returned 0x0 [0073.829] SetErrorMode (uMode=0x0) returned 0x1 [0073.829] GetFileType (hFile=0x30c) returned 0x1 [0073.829] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0073.831] CloseHandle (hObject=0x30c) returned 1 [0073.831] SetErrorMode (uMode=0x1) returned 0x0 [0073.831] SetErrorMode (uMode=0x0) returned 0x1 [0073.831] GetFileType (hFile=0x30c) returned 0x1 [0073.831] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0073.834] CloseHandle (hObject=0x30c) returned 1 [0073.901] SetErrorMode (uMode=0x1) returned 0x0 [0073.901] SetErrorMode (uMode=0x0) returned 0x1 [0073.901] GetFileType (hFile=0x30c) returned 0x1 [0073.901] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0073.904] CloseHandle (hObject=0x30c) returned 1 [0073.904] SetErrorMode (uMode=0x1) returned 0x0 [0073.904] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe21acf86, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0073.904] SetErrorMode (uMode=0x0) returned 0x1 [0073.904] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0073.905] SetErrorMode (uMode=0x1) returned 0x0 [0073.905] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0073.905] SetErrorMode (uMode=0x0) returned 0x1 [0073.905] SetErrorMode (uMode=0x1) returned 0x0 [0073.905] SetErrorMode (uMode=0x0) returned 0x1 [0073.905] GetFileType (hFile=0x30c) returned 0x1 [0073.905] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0073.907] CloseHandle (hObject=0x30c) returned 1 [0073.908] SetErrorMode (uMode=0x1) returned 0x0 [0073.908] SetErrorMode (uMode=0x0) returned 0x1 [0073.908] GetFileType (hFile=0x30c) returned 0x1 [0073.908] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0073.910] CloseHandle (hObject=0x30c) returned 1 [0073.927] SetErrorMode (uMode=0x1) returned 0x0 [0073.927] SetErrorMode (uMode=0x0) returned 0x1 [0073.927] GetFileType (hFile=0x30c) returned 0x1 [0073.927] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0073.930] CloseHandle (hObject=0x30c) returned 1 [0073.930] SetErrorMode (uMode=0x1) returned 0x0 [0073.930] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe21f94ed, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0073.930] SetErrorMode (uMode=0x0) returned 0x1 [0073.930] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0073.931] SetErrorMode (uMode=0x1) returned 0x0 [0073.931] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0073.931] SetErrorMode (uMode=0x0) returned 0x1 [0073.931] SetErrorMode (uMode=0x1) returned 0x0 [0073.931] SetErrorMode (uMode=0x0) returned 0x1 [0073.931] GetFileType (hFile=0x30c) returned 0x1 [0073.931] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.021] CloseHandle (hObject=0x30c) returned 1 [0074.021] SetErrorMode (uMode=0x1) returned 0x0 [0074.021] SetErrorMode (uMode=0x0) returned 0x1 [0074.021] GetFileType (hFile=0x30c) returned 0x1 [0074.021] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.024] CloseHandle (hObject=0x30c) returned 1 [0074.042] SetErrorMode (uMode=0x1) returned 0x0 [0074.042] SetErrorMode (uMode=0x0) returned 0x1 [0074.042] GetFileType (hFile=0x30c) returned 0x1 [0074.042] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0074.045] CloseHandle (hObject=0x30c) returned 1 [0074.045] SetErrorMode (uMode=0x1) returned 0x0 [0074.045] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe23042dd, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0074.045] SetErrorMode (uMode=0x0) returned 0x1 [0074.045] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.047] SetErrorMode (uMode=0x1) returned 0x0 [0074.048] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0074.048] SetErrorMode (uMode=0x0) returned 0x1 [0074.048] SetErrorMode (uMode=0x1) returned 0x0 [0074.048] SetErrorMode (uMode=0x0) returned 0x1 [0074.048] GetFileType (hFile=0x30c) returned 0x1 [0074.048] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.050] CloseHandle (hObject=0x30c) returned 1 [0074.050] SetErrorMode (uMode=0x1) returned 0x0 [0074.050] SetErrorMode (uMode=0x0) returned 0x1 [0074.050] GetFileType (hFile=0x30c) returned 0x1 [0074.050] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.052] CloseHandle (hObject=0x30c) returned 1 [0074.124] SetErrorMode (uMode=0x1) returned 0x0 [0074.124] SetErrorMode (uMode=0x0) returned 0x1 [0074.124] GetFileType (hFile=0x30c) returned 0x1 [0074.124] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0074.127] CloseHandle (hObject=0x30c) returned 1 [0074.127] SetErrorMode (uMode=0x1) returned 0x0 [0074.127] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe23e9370, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0074.127] SetErrorMode (uMode=0x0) returned 0x1 [0074.127] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.128] SetErrorMode (uMode=0x1) returned 0x0 [0074.128] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0074.128] SetErrorMode (uMode=0x0) returned 0x1 [0074.128] SetErrorMode (uMode=0x1) returned 0x0 [0074.128] SetErrorMode (uMode=0x0) returned 0x1 [0074.128] GetFileType (hFile=0x30c) returned 0x1 [0074.128] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.132] CloseHandle (hObject=0x30c) returned 1 [0074.132] SetErrorMode (uMode=0x1) returned 0x0 [0074.132] SetErrorMode (uMode=0x0) returned 0x1 [0074.132] GetFileType (hFile=0x30c) returned 0x1 [0074.132] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.135] CloseHandle (hObject=0x30c) returned 1 [0074.153] SetErrorMode (uMode=0x1) returned 0x0 [0074.153] SetErrorMode (uMode=0x0) returned 0x1 [0074.153] GetFileType (hFile=0x30c) returned 0x1 [0074.153] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0074.190] CloseHandle (hObject=0x30c) returned 1 [0074.190] SetErrorMode (uMode=0x1) returned 0x0 [0074.190] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2481c63, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0074.190] SetErrorMode (uMode=0x0) returned 0x1 [0074.190] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.191] SetErrorMode (uMode=0x1) returned 0x0 [0074.191] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000)) returned 1 [0074.193] SetErrorMode (uMode=0x0) returned 0x1 [0074.193] SetErrorMode (uMode=0x1) returned 0x0 [0074.193] SetErrorMode (uMode=0x0) returned 0x1 [0074.193] GetFileType (hFile=0x30c) returned 0x1 [0074.193] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x101601 [0074.244] CloseHandle (hObject=0x30c) returned 1 [0074.245] SetErrorMode (uMode=0x1) returned 0x0 [0074.245] SetErrorMode (uMode=0x0) returned 0x1 [0074.245] GetFileType (hFile=0x30c) returned 0x1 [0074.245] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x111000 [0074.247] CloseHandle (hObject=0x30c) returned 1 [0074.266] SetErrorMode (uMode=0x1) returned 0x0 [0074.266] SetErrorMode (uMode=0x0) returned 0x1 [0074.266] GetFileType (hFile=0x30c) returned 0x1 [0074.266] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x101601 [0074.269] CloseHandle (hObject=0x30c) returned 1 [0074.269] SetErrorMode (uMode=0x1) returned 0x0 [0074.269] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe25415b3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1182c0)) returned 1 [0074.269] SetErrorMode (uMode=0x0) returned 0x1 [0074.269] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.270] SetErrorMode (uMode=0x1) returned 0x0 [0074.270] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0074.270] SetErrorMode (uMode=0x0) returned 0x1 [0074.270] SetErrorMode (uMode=0x1) returned 0x0 [0074.270] SetErrorMode (uMode=0x0) returned 0x1 [0074.270] GetFileType (hFile=0x30c) returned 0x1 [0074.270] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.345] CloseHandle (hObject=0x30c) returned 1 [0074.345] SetErrorMode (uMode=0x1) returned 0x0 [0074.345] SetErrorMode (uMode=0x0) returned 0x1 [0074.345] GetFileType (hFile=0x30c) returned 0x1 [0074.345] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.348] CloseHandle (hObject=0x30c) returned 1 [0074.452] SetErrorMode (uMode=0x1) returned 0x0 [0074.453] SetErrorMode (uMode=0x0) returned 0x1 [0074.453] GetFileType (hFile=0x30c) returned 0x1 [0074.453] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0074.458] CloseHandle (hObject=0x30c) returned 1 [0074.461] SetErrorMode (uMode=0x1) returned 0x0 [0074.461] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe26fabe2, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0074.461] SetErrorMode (uMode=0x0) returned 0x1 [0074.461] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.463] SetErrorMode (uMode=0x1) returned 0x0 [0074.463] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x211000)) returned 1 [0074.463] SetErrorMode (uMode=0x0) returned 0x1 [0074.463] SetErrorMode (uMode=0x1) returned 0x0 [0074.463] SetErrorMode (uMode=0x0) returned 0x1 [0074.464] GetFileType (hFile=0x30c) returned 0x1 [0074.464] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x201601 [0074.465] CloseHandle (hObject=0x30c) returned 1 [0074.465] SetErrorMode (uMode=0x1) returned 0x0 [0074.466] SetErrorMode (uMode=0x0) returned 0x1 [0074.466] GetFileType (hFile=0x30c) returned 0x1 [0074.466] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x211000 [0074.468] CloseHandle (hObject=0x30c) returned 1 [0074.484] SetErrorMode (uMode=0x1) returned 0x0 [0074.485] SetErrorMode (uMode=0x0) returned 0x1 [0074.485] GetFileType (hFile=0x30c) returned 0x1 [0074.485] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x201601 [0074.487] CloseHandle (hObject=0x30c) returned 1 [0074.487] SetErrorMode (uMode=0x1) returned 0x0 [0074.487] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2747101, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2182c0)) returned 1 [0074.487] SetErrorMode (uMode=0x0) returned 0x1 [0074.487] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.488] SetErrorMode (uMode=0x1) returned 0x0 [0074.488] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0074.566] SetErrorMode (uMode=0x0) returned 0x1 [0074.566] SetErrorMode (uMode=0x1) returned 0x0 [0074.566] SetErrorMode (uMode=0x0) returned 0x1 [0074.566] GetFileType (hFile=0x30c) returned 0x1 [0074.566] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.568] CloseHandle (hObject=0x30c) returned 1 [0074.568] SetErrorMode (uMode=0x1) returned 0x0 [0074.568] SetErrorMode (uMode=0x0) returned 0x1 [0074.568] GetFileType (hFile=0x30c) returned 0x1 [0074.568] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.571] CloseHandle (hObject=0x30c) returned 1 [0074.589] SetErrorMode (uMode=0x1) returned 0x0 [0074.589] SetErrorMode (uMode=0x0) returned 0x1 [0074.589] GetFileType (hFile=0x30c) returned 0x1 [0074.589] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0074.592] CloseHandle (hObject=0x30c) returned 1 [0074.592] SetErrorMode (uMode=0x1) returned 0x0 [0074.592] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe285221e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0074.592] SetErrorMode (uMode=0x0) returned 0x1 [0074.592] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.593] SetErrorMode (uMode=0x1) returned 0x0 [0074.593] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0074.593] SetErrorMode (uMode=0x0) returned 0x1 [0074.593] SetErrorMode (uMode=0x1) returned 0x0 [0074.593] SetErrorMode (uMode=0x0) returned 0x1 [0074.593] GetFileType (hFile=0x30c) returned 0x1 [0074.593] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.595] CloseHandle (hObject=0x30c) returned 1 [0074.595] SetErrorMode (uMode=0x1) returned 0x0 [0074.596] SetErrorMode (uMode=0x0) returned 0x1 [0074.596] GetFileType (hFile=0x30c) returned 0x1 [0074.596] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.598] CloseHandle (hObject=0x30c) returned 1 [0074.650] SetErrorMode (uMode=0x1) returned 0x0 [0074.650] SetErrorMode (uMode=0x0) returned 0x1 [0074.650] GetFileType (hFile=0x30c) returned 0x1 [0074.650] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0074.653] CloseHandle (hObject=0x30c) returned 1 [0074.653] SetErrorMode (uMode=0x1) returned 0x0 [0074.653] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe28eab70, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0074.653] SetErrorMode (uMode=0x0) returned 0x1 [0074.653] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.654] SetErrorMode (uMode=0x1) returned 0x0 [0074.654] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0074.655] SetErrorMode (uMode=0x0) returned 0x1 [0074.655] SetErrorMode (uMode=0x1) returned 0x0 [0074.655] SetErrorMode (uMode=0x0) returned 0x1 [0074.655] GetFileType (hFile=0x30c) returned 0x1 [0074.655] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.657] CloseHandle (hObject=0x30c) returned 1 [0074.657] SetErrorMode (uMode=0x1) returned 0x0 [0074.657] SetErrorMode (uMode=0x0) returned 0x1 [0074.657] GetFileType (hFile=0x30c) returned 0x1 [0074.657] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.659] CloseHandle (hObject=0x30c) returned 1 [0074.678] SetErrorMode (uMode=0x1) returned 0x0 [0074.678] SetErrorMode (uMode=0x0) returned 0x1 [0074.678] GetFileType (hFile=0x30c) returned 0x1 [0074.678] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0074.745] CloseHandle (hObject=0x30c) returned 1 [0074.746] SetErrorMode (uMode=0x1) returned 0x0 [0074.746] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe29cf673, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0074.746] SetErrorMode (uMode=0x0) returned 0x1 [0074.746] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.747] SetErrorMode (uMode=0x1) returned 0x0 [0074.747] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0074.747] SetErrorMode (uMode=0x0) returned 0x1 [0074.747] SetErrorMode (uMode=0x1) returned 0x0 [0074.747] SetErrorMode (uMode=0x0) returned 0x1 [0074.747] GetFileType (hFile=0x30c) returned 0x1 [0074.747] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.749] CloseHandle (hObject=0x30c) returned 1 [0074.749] SetErrorMode (uMode=0x1) returned 0x0 [0074.749] SetErrorMode (uMode=0x0) returned 0x1 [0074.749] GetFileType (hFile=0x30c) returned 0x1 [0074.749] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.752] CloseHandle (hObject=0x30c) returned 1 [0074.773] SetErrorMode (uMode=0x1) returned 0x0 [0074.773] SetErrorMode (uMode=0x0) returned 0x1 [0074.773] GetFileType (hFile=0x30c) returned 0x1 [0074.773] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0074.777] CloseHandle (hObject=0x30c) returned 1 [0074.777] SetErrorMode (uMode=0x1) returned 0x0 [0074.777] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2a1fd01, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0074.779] SetErrorMode (uMode=0x0) returned 0x1 [0074.779] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.780] SetErrorMode (uMode=0x1) returned 0x0 [0074.780] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0074.780] SetErrorMode (uMode=0x0) returned 0x1 [0074.780] SetErrorMode (uMode=0x1) returned 0x0 [0074.780] SetErrorMode (uMode=0x0) returned 0x1 [0074.780] GetFileType (hFile=0x30c) returned 0x1 [0074.780] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.841] CloseHandle (hObject=0x30c) returned 1 [0074.841] SetErrorMode (uMode=0x1) returned 0x0 [0074.841] SetErrorMode (uMode=0x0) returned 0x1 [0074.841] GetFileType (hFile=0x30c) returned 0x1 [0074.841] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.844] CloseHandle (hObject=0x30c) returned 1 [0074.873] SetErrorMode (uMode=0x1) returned 0x0 [0074.873] SetErrorMode (uMode=0x0) returned 0x1 [0074.873] GetFileType (hFile=0x30c) returned 0x1 [0074.873] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0074.920] CloseHandle (hObject=0x30c) returned 1 [0074.920] SetErrorMode (uMode=0x1) returned 0x0 [0074.920] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2b77645, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0074.920] SetErrorMode (uMode=0x0) returned 0x1 [0074.920] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.921] SetErrorMode (uMode=0x1) returned 0x0 [0074.921] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0074.921] SetErrorMode (uMode=0x0) returned 0x1 [0074.921] SetErrorMode (uMode=0x1) returned 0x0 [0074.921] SetErrorMode (uMode=0x0) returned 0x1 [0074.921] GetFileType (hFile=0x30c) returned 0x1 [0074.921] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.923] CloseHandle (hObject=0x30c) returned 1 [0074.923] SetErrorMode (uMode=0x1) returned 0x0 [0074.923] SetErrorMode (uMode=0x0) returned 0x1 [0074.923] GetFileType (hFile=0x30c) returned 0x1 [0074.923] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.926] CloseHandle (hObject=0x30c) returned 1 [0074.938] SetErrorMode (uMode=0x1) returned 0x0 [0074.938] SetErrorMode (uMode=0x0) returned 0x1 [0074.938] GetFileType (hFile=0x30c) returned 0x1 [0074.938] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0074.940] CloseHandle (hObject=0x30c) returned 1 [0074.941] SetErrorMode (uMode=0x1) returned 0x0 [0074.941] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2b9e139, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0074.941] SetErrorMode (uMode=0x0) returned 0x1 [0074.941] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0074.941] SetErrorMode (uMode=0x1) returned 0x0 [0074.941] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0074.941] SetErrorMode (uMode=0x0) returned 0x1 [0074.942] SetErrorMode (uMode=0x1) returned 0x0 [0074.942] SetErrorMode (uMode=0x0) returned 0x1 [0074.942] GetFileType (hFile=0x30c) returned 0x1 [0074.942] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0074.952] CloseHandle (hObject=0x30c) returned 1 [0074.952] SetErrorMode (uMode=0x1) returned 0x0 [0074.952] SetErrorMode (uMode=0x0) returned 0x1 [0074.952] GetFileType (hFile=0x30c) returned 0x1 [0074.952] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0074.954] CloseHandle (hObject=0x30c) returned 1 [0075.007] SetErrorMode (uMode=0x1) returned 0x0 [0075.007] SetErrorMode (uMode=0x0) returned 0x1 [0075.007] GetFileType (hFile=0x30c) returned 0x1 [0075.007] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0075.010] CloseHandle (hObject=0x30c) returned 1 [0075.011] SetErrorMode (uMode=0x1) returned 0x0 [0075.011] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2c5c366, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0075.011] SetErrorMode (uMode=0x0) returned 0x1 [0075.011] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0075.012] SetErrorMode (uMode=0x1) returned 0x0 [0075.012] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0075.012] SetErrorMode (uMode=0x0) returned 0x1 [0075.012] SetErrorMode (uMode=0x1) returned 0x0 [0075.013] SetErrorMode (uMode=0x0) returned 0x1 [0075.013] GetFileType (hFile=0x30c) returned 0x1 [0075.013] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0075.014] CloseHandle (hObject=0x30c) returned 1 [0075.014] SetErrorMode (uMode=0x1) returned 0x0 [0075.015] SetErrorMode (uMode=0x0) returned 0x1 [0075.015] GetFileType (hFile=0x30c) returned 0x1 [0075.015] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0075.017] CloseHandle (hObject=0x30c) returned 1 [0075.032] SetErrorMode (uMode=0x1) returned 0x0 [0075.032] SetErrorMode (uMode=0x0) returned 0x1 [0075.032] GetFileType (hFile=0x30c) returned 0x1 [0075.032] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0075.035] CloseHandle (hObject=0x30c) returned 1 [0075.035] SetErrorMode (uMode=0x1) returned 0x0 [0075.035] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2c824f1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0075.035] SetErrorMode (uMode=0x0) returned 0x1 [0075.035] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0075.036] SetErrorMode (uMode=0x1) returned 0x0 [0075.036] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x101000)) returned 1 [0075.036] SetErrorMode (uMode=0x0) returned 0x1 [0075.036] SetErrorMode (uMode=0x1) returned 0x0 [0075.036] SetErrorMode (uMode=0x0) returned 0x1 [0075.036] GetFileType (hFile=0x30c) returned 0x1 [0075.036] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xf1601 [0075.090] CloseHandle (hObject=0x30c) returned 1 [0075.090] SetErrorMode (uMode=0x1) returned 0x0 [0075.090] SetErrorMode (uMode=0x0) returned 0x1 [0075.090] GetFileType (hFile=0x30c) returned 0x1 [0075.091] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x101000 [0075.094] CloseHandle (hObject=0x30c) returned 1 [0075.111] SetErrorMode (uMode=0x1) returned 0x0 [0075.111] SetErrorMode (uMode=0x0) returned 0x1 [0075.111] GetFileType (hFile=0x30c) returned 0x1 [0075.111] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0xf1601 [0075.114] CloseHandle (hObject=0x30c) returned 1 [0075.114] SetErrorMode (uMode=0x1) returned 0x0 [0075.114] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2d412dd, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0)) returned 1 [0075.114] SetErrorMode (uMode=0x0) returned 0x1 [0075.114] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0075.115] SetErrorMode (uMode=0x1) returned 0x0 [0075.115] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0075.115] SetErrorMode (uMode=0x0) returned 0x1 [0075.115] SetErrorMode (uMode=0x1) returned 0x0 [0075.115] SetErrorMode (uMode=0x0) returned 0x1 [0075.115] GetFileType (hFile=0x30c) returned 0x1 [0075.115] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0075.121] CloseHandle (hObject=0x30c) returned 1 [0075.122] SetErrorMode (uMode=0x1) returned 0x0 [0075.122] SetErrorMode (uMode=0x0) returned 0x1 [0075.122] GetFileType (hFile=0x30c) returned 0x1 [0075.122] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0075.124] CloseHandle (hObject=0x30c) returned 1 [0075.142] SetErrorMode (uMode=0x1) returned 0x0 [0075.142] SetErrorMode (uMode=0x0) returned 0x1 [0075.143] GetFileType (hFile=0x30c) returned 0x1 [0075.143] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0075.145] CloseHandle (hObject=0x30c) returned 1 [0075.145] SetErrorMode (uMode=0x1) returned 0x0 [0075.146] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2d8d81e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0075.146] SetErrorMode (uMode=0x0) returned 0x1 [0075.146] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0075.146] SetErrorMode (uMode=0x1) returned 0x0 [0075.147] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0075.147] SetErrorMode (uMode=0x0) returned 0x1 [0075.147] SetErrorMode (uMode=0x1) returned 0x0 [0075.147] SetErrorMode (uMode=0x0) returned 0x1 [0075.147] GetFileType (hFile=0x30c) returned 0x1 [0075.147] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0075.149] CloseHandle (hObject=0x30c) returned 1 [0075.149] SetErrorMode (uMode=0x1) returned 0x0 [0075.149] SetErrorMode (uMode=0x0) returned 0x1 [0075.149] GetFileType (hFile=0x30c) returned 0x1 [0075.149] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0075.152] CloseHandle (hObject=0x30c) returned 1 [0075.168] SetErrorMode (uMode=0x1) returned 0x0 [0075.168] SetErrorMode (uMode=0x0) returned 0x1 [0075.168] GetFileType (hFile=0x30c) returned 0x1 [0075.168] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0075.171] CloseHandle (hObject=0x30c) returned 1 [0075.171] SetErrorMode (uMode=0x1) returned 0x0 [0075.171] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2dd9b52, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0075.171] SetErrorMode (uMode=0x0) returned 0x1 [0075.171] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0075.172] SetErrorMode (uMode=0x1) returned 0x0 [0075.172] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0075.172] SetErrorMode (uMode=0x0) returned 0x1 [0075.172] SetErrorMode (uMode=0x1) returned 0x0 [0075.172] SetErrorMode (uMode=0x0) returned 0x1 [0075.172] GetFileType (hFile=0x30c) returned 0x1 [0075.173] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0075.203] CloseHandle (hObject=0x30c) returned 1 [0075.203] SetErrorMode (uMode=0x1) returned 0x0 [0075.203] SetErrorMode (uMode=0x0) returned 0x1 [0075.203] GetFileType (hFile=0x30c) returned 0x1 [0075.203] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0075.206] CloseHandle (hObject=0x30c) returned 1 [0075.237] SetErrorMode (uMode=0x1) returned 0x0 [0075.237] SetErrorMode (uMode=0x0) returned 0x1 [0075.237] GetFileType (hFile=0x30c) returned 0x1 [0075.237] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0075.240] CloseHandle (hObject=0x30c) returned 1 [0075.240] SetErrorMode (uMode=0x1) returned 0x0 [0075.240] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2e7239e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0075.240] SetErrorMode (uMode=0x0) returned 0x1 [0075.240] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0075.241] SetErrorMode (uMode=0x1) returned 0x0 [0075.241] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0075.241] SetErrorMode (uMode=0x0) returned 0x1 [0075.241] SetErrorMode (uMode=0x1) returned 0x0 [0075.241] SetErrorMode (uMode=0x0) returned 0x1 [0075.241] GetFileType (hFile=0x30c) returned 0x1 [0075.241] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0075.422] CloseHandle (hObject=0x30c) returned 1 [0075.422] SetErrorMode (uMode=0x1) returned 0x0 [0075.423] SetErrorMode (uMode=0x0) returned 0x1 [0075.424] GetFileType (hFile=0x30c) returned 0x1 [0075.424] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0075.427] CloseHandle (hObject=0x30c) returned 1 [0075.524] SetErrorMode (uMode=0x1) returned 0x0 [0075.524] SetErrorMode (uMode=0x0) returned 0x1 [0075.524] GetFileType (hFile=0x30c) returned 0x1 [0075.524] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0075.528] CloseHandle (hObject=0x30c) returned 1 [0075.529] SetErrorMode (uMode=0x1) returned 0x0 [0075.529] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe3147256, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0075.529] SetErrorMode (uMode=0x0) returned 0x1 [0075.529] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0075.531] SetErrorMode (uMode=0x1) returned 0x0 [0075.531] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0075.617] SetErrorMode (uMode=0x0) returned 0x1 [0075.617] SetErrorMode (uMode=0x1) returned 0x0 [0075.617] SetErrorMode (uMode=0x0) returned 0x1 [0075.617] GetFileType (hFile=0x30c) returned 0x1 [0075.617] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0075.671] CloseHandle (hObject=0x30c) returned 1 [0075.671] SetErrorMode (uMode=0x1) returned 0x0 [0075.671] SetErrorMode (uMode=0x0) returned 0x1 [0075.671] GetFileType (hFile=0x30c) returned 0x1 [0075.671] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0075.674] CloseHandle (hObject=0x30c) returned 1 [0075.693] SetErrorMode (uMode=0x1) returned 0x0 [0075.693] SetErrorMode (uMode=0x0) returned 0x1 [0075.694] GetFileType (hFile=0x30c) returned 0x1 [0075.694] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0075.696] CloseHandle (hObject=0x30c) returned 1 [0075.697] SetErrorMode (uMode=0x1) returned 0x0 [0075.697] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe32c4766, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0075.697] SetErrorMode (uMode=0x0) returned 0x1 [0075.697] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0075.697] SetErrorMode (uMode=0x1) returned 0x0 [0075.698] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0075.700] SetErrorMode (uMode=0x0) returned 0x1 [0075.700] SetErrorMode (uMode=0x1) returned 0x0 [0075.700] SetErrorMode (uMode=0x0) returned 0x1 [0075.700] GetFileType (hFile=0x30c) returned 0x1 [0075.700] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0075.814] CloseHandle (hObject=0x30c) returned 1 [0075.814] SetErrorMode (uMode=0x1) returned 0x0 [0075.814] SetErrorMode (uMode=0x0) returned 0x1 [0075.814] GetFileType (hFile=0x30c) returned 0x1 [0075.814] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0075.817] CloseHandle (hObject=0x30c) returned 1 [0075.837] SetErrorMode (uMode=0x1) returned 0x0 [0075.837] SetErrorMode (uMode=0x0) returned 0x1 [0075.837] GetFileType (hFile=0x30c) returned 0x1 [0075.837] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0075.843] CloseHandle (hObject=0x30c) returned 1 [0075.843] SetErrorMode (uMode=0x1) returned 0x0 [0075.844] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xe34421d1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0075.844] SetErrorMode (uMode=0x0) returned 0x1 [0075.844] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0075.844] SetErrorMode (uMode=0x1) returned 0x0 [0075.844] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0075.845] SetErrorMode (uMode=0x0) returned 0x1 [0075.845] SetErrorMode (uMode=0x1) returned 0x0 [0075.845] SetErrorMode (uMode=0x0) returned 0x1 [0075.845] GetFileType (hFile=0x30c) returned 0x1 [0075.845] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0075.973] CloseHandle (hObject=0x30c) returned 1 [0075.973] SetErrorMode (uMode=0x1) returned 0x0 [0075.974] SetErrorMode (uMode=0x0) returned 0x1 [0075.974] GetFileType (hFile=0x30c) returned 0x1 [0075.974] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0075.976] CloseHandle (hObject=0x30c) returned 1 [0076.002] SetErrorMode (uMode=0x1) returned 0x0 [0076.002] SetErrorMode (uMode=0x0) returned 0x1 [0076.002] GetFileType (hFile=0x30c) returned 0x1 [0076.002] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0076.026] CloseHandle (hObject=0x30c) returned 1 [0076.026] SetErrorMode (uMode=0x1) returned 0x0 [0076.026] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe35e5b00, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0076.026] SetErrorMode (uMode=0x0) returned 0x1 [0076.026] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0076.027] SetErrorMode (uMode=0x1) returned 0x0 [0076.027] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0076.096] SetErrorMode (uMode=0x0) returned 0x1 [0076.097] SetErrorMode (uMode=0x1) returned 0x0 [0076.097] SetErrorMode (uMode=0x0) returned 0x1 [0076.097] GetFileType (hFile=0x30c) returned 0x1 [0076.097] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0076.170] CloseHandle (hObject=0x30c) returned 1 [0076.170] SetErrorMode (uMode=0x1) returned 0x0 [0076.170] SetErrorMode (uMode=0x0) returned 0x1 [0076.170] GetFileType (hFile=0x30c) returned 0x1 [0076.170] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0076.178] CloseHandle (hObject=0x30c) returned 1 [0076.210] SetErrorMode (uMode=0x1) returned 0x0 [0076.210] SetErrorMode (uMode=0x0) returned 0x1 [0076.210] GetFileType (hFile=0x30c) returned 0x1 [0076.210] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0076.213] CloseHandle (hObject=0x30c) returned 1 [0076.213] SetErrorMode (uMode=0x1) returned 0x0 [0076.213] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe37af73c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0076.213] SetErrorMode (uMode=0x0) returned 0x1 [0076.213] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0076.214] SetErrorMode (uMode=0x1) returned 0x0 [0076.214] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0076.220] SetErrorMode (uMode=0x0) returned 0x1 [0076.718] SetErrorMode (uMode=0x1) returned 0x0 [0076.719] SetErrorMode (uMode=0x0) returned 0x1 [0076.719] GetFileType (hFile=0x30c) returned 0x1 [0076.719] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0076.727] CloseHandle (hObject=0x30c) returned 1 [0076.727] SetErrorMode (uMode=0x1) returned 0x0 [0076.727] SetErrorMode (uMode=0x0) returned 0x1 [0076.727] GetFileType (hFile=0x30c) returned 0x1 [0076.727] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0076.735] CloseHandle (hObject=0x30c) returned 1 [0076.858] SetErrorMode (uMode=0x1) returned 0x0 [0076.858] SetErrorMode (uMode=0x0) returned 0x1 [0076.858] GetFileType (hFile=0x30c) returned 0x1 [0076.858] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0076.861] CloseHandle (hObject=0x30c) returned 1 [0076.861] SetErrorMode (uMode=0x1) returned 0x0 [0076.861] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe3df1a5d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0076.861] SetErrorMode (uMode=0x0) returned 0x1 [0076.862] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0076.862] SetErrorMode (uMode=0x1) returned 0x0 [0076.863] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0076.863] SetErrorMode (uMode=0x0) returned 0x1 [0076.863] SetErrorMode (uMode=0x1) returned 0x0 [0076.863] SetErrorMode (uMode=0x0) returned 0x1 [0076.863] GetFileType (hFile=0x30c) returned 0x1 [0076.864] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0076.888] CloseHandle (hObject=0x30c) returned 1 [0076.889] SetErrorMode (uMode=0x1) returned 0x0 [0076.889] SetErrorMode (uMode=0x0) returned 0x1 [0076.889] GetFileType (hFile=0x30c) returned 0x1 [0076.889] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0076.891] CloseHandle (hObject=0x30c) returned 1 [0076.907] SetErrorMode (uMode=0x1) returned 0x0 [0076.907] SetErrorMode (uMode=0x0) returned 0x1 [0076.907] GetFileType (hFile=0x30c) returned 0x1 [0076.907] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0076.910] CloseHandle (hObject=0x30c) returned 1 [0076.910] SetErrorMode (uMode=0x1) returned 0x0 [0076.910] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe3e6418b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0076.910] SetErrorMode (uMode=0x0) returned 0x1 [0076.910] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0076.911] SetErrorMode (uMode=0x1) returned 0x0 [0076.911] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0076.911] SetErrorMode (uMode=0x0) returned 0x1 [0076.911] SetErrorMode (uMode=0x1) returned 0x0 [0076.911] SetErrorMode (uMode=0x0) returned 0x1 [0076.911] GetFileType (hFile=0x30c) returned 0x1 [0076.911] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0076.989] CloseHandle (hObject=0x30c) returned 1 [0076.989] SetErrorMode (uMode=0x1) returned 0x0 [0076.989] SetErrorMode (uMode=0x0) returned 0x1 [0076.989] GetFileType (hFile=0x30c) returned 0x1 [0076.989] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0076.992] CloseHandle (hObject=0x30c) returned 1 [0077.014] SetErrorMode (uMode=0x1) returned 0x0 [0077.014] SetErrorMode (uMode=0x0) returned 0x1 [0077.014] GetFileType (hFile=0x30c) returned 0x1 [0077.014] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0077.016] CloseHandle (hObject=0x30c) returned 1 [0077.017] SetErrorMode (uMode=0x1) returned 0x0 [0077.017] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe3f6f192, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0077.017] SetErrorMode (uMode=0x0) returned 0x1 [0077.017] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0077.017] SetErrorMode (uMode=0x1) returned 0x0 [0077.017] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0077.018] SetErrorMode (uMode=0x0) returned 0x1 [0077.018] SetErrorMode (uMode=0x1) returned 0x0 [0077.018] SetErrorMode (uMode=0x0) returned 0x1 [0077.018] GetFileType (hFile=0x30c) returned 0x1 [0077.019] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0077.210] CloseHandle (hObject=0x30c) returned 1 [0077.210] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpFilePart=0x0) returned 0x39 [0077.210] SetErrorMode (uMode=0x1) returned 0x0 [0077.211] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0077.211] GetFileType (hFile=0x30c) returned 0x1 [0077.211] SetErrorMode (uMode=0x0) returned 0x1 [0077.211] GetFileType (hFile=0x30c) returned 0x1 [0077.211] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0077.211] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0077.211] SetEndOfFile (hFile=0x30c) returned 1 [0077.406] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0077.406] CloseHandle (hObject=0x30c) returned 1 [0077.426] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpFilePart=0x0) returned 0x39 [0077.426] SetErrorMode (uMode=0x1) returned 0x0 [0077.426] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0077.426] GetFileType (hFile=0x30c) returned 0x1 [0077.426] SetErrorMode (uMode=0x0) returned 0x1 [0077.426] GetFileType (hFile=0x30c) returned 0x1 [0077.426] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0077.429] CloseHandle (hObject=0x30c) returned 1 [0077.429] SetErrorMode (uMode=0x1) returned 0x0 [0077.429] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe434ee91, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0077.429] SetErrorMode (uMode=0x0) returned 0x1 [0077.429] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0077.430] SetErrorMode (uMode=0x1) returned 0x0 [0077.430] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000)) returned 1 [0077.431] SetErrorMode (uMode=0x0) returned 0x1 [0077.431] SetErrorMode (uMode=0x1) returned 0x0 [0077.431] SetErrorMode (uMode=0x0) returned 0x1 [0077.431] GetFileType (hFile=0x30c) returned 0x1 [0077.431] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xf1601 [0077.436] CloseHandle (hObject=0x30c) returned 1 [0077.437] SetErrorMode (uMode=0x1) returned 0x0 [0077.437] SetErrorMode (uMode=0x0) returned 0x1 [0077.437] GetFileType (hFile=0x30c) returned 0x1 [0077.437] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x101000 [0077.440] CloseHandle (hObject=0x30c) returned 1 [0077.663] SetErrorMode (uMode=0x1) returned 0x0 [0077.663] SetErrorMode (uMode=0x0) returned 0x1 [0077.663] GetFileType (hFile=0x30c) returned 0x1 [0077.663] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0xf1601 [0077.668] CloseHandle (hObject=0x30c) returned 1 [0077.669] SetErrorMode (uMode=0x1) returned 0x0 [0077.669] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe45b14ed, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0)) returned 1 [0077.669] SetErrorMode (uMode=0x0) returned 0x1 [0077.669] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0077.670] SetErrorMode (uMode=0x1) returned 0x0 [0077.670] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0077.670] SetErrorMode (uMode=0x0) returned 0x1 [0077.670] SetErrorMode (uMode=0x1) returned 0x0 [0077.670] SetErrorMode (uMode=0x0) returned 0x1 [0077.670] GetFileType (hFile=0x30c) returned 0x1 [0077.670] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0077.672] CloseHandle (hObject=0x30c) returned 1 [0077.673] SetErrorMode (uMode=0x1) returned 0x0 [0077.673] SetErrorMode (uMode=0x0) returned 0x1 [0077.673] GetFileType (hFile=0x30c) returned 0x1 [0077.673] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0077.675] CloseHandle (hObject=0x30c) returned 1 [0077.693] SetErrorMode (uMode=0x1) returned 0x0 [0077.693] SetErrorMode (uMode=0x0) returned 0x1 [0077.693] GetFileType (hFile=0x30c) returned 0x1 [0077.693] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0077.696] CloseHandle (hObject=0x30c) returned 1 [0077.696] SetErrorMode (uMode=0x1) returned 0x0 [0077.696] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe45d76aa, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0077.696] SetErrorMode (uMode=0x0) returned 0x1 [0077.696] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0077.740] SetErrorMode (uMode=0x1) returned 0x0 [0077.741] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0077.741] SetErrorMode (uMode=0x0) returned 0x1 [0077.741] SetErrorMode (uMode=0x1) returned 0x0 [0077.741] SetErrorMode (uMode=0x0) returned 0x1 [0077.741] GetFileType (hFile=0x30c) returned 0x1 [0077.741] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0077.743] CloseHandle (hObject=0x30c) returned 1 [0077.743] SetErrorMode (uMode=0x1) returned 0x0 [0077.743] SetErrorMode (uMode=0x0) returned 0x1 [0077.743] GetFileType (hFile=0x30c) returned 0x1 [0077.743] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0077.746] CloseHandle (hObject=0x30c) returned 1 [0077.822] SetErrorMode (uMode=0x1) returned 0x0 [0077.822] SetErrorMode (uMode=0x0) returned 0x1 [0077.822] GetFileType (hFile=0x30c) returned 0x1 [0077.822] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0077.825] CloseHandle (hObject=0x30c) returned 1 [0077.826] SetErrorMode (uMode=0x1) returned 0x0 [0077.826] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe472eaa3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0077.826] SetErrorMode (uMode=0x0) returned 0x1 [0077.826] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0077.828] SetErrorMode (uMode=0x1) returned 0x0 [0077.828] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0077.828] SetErrorMode (uMode=0x0) returned 0x1 [0077.829] SetErrorMode (uMode=0x1) returned 0x0 [0077.829] SetErrorMode (uMode=0x0) returned 0x1 [0077.829] GetFileType (hFile=0x30c) returned 0x1 [0077.829] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0077.831] CloseHandle (hObject=0x30c) returned 1 [0077.831] SetErrorMode (uMode=0x1) returned 0x0 [0077.831] SetErrorMode (uMode=0x0) returned 0x1 [0077.831] GetFileType (hFile=0x30c) returned 0x1 [0077.831] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0077.833] CloseHandle (hObject=0x30c) returned 1 [0077.848] SetErrorMode (uMode=0x1) returned 0x0 [0077.848] SetErrorMode (uMode=0x0) returned 0x1 [0077.848] GetFileType (hFile=0x30c) returned 0x1 [0077.848] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0077.851] CloseHandle (hObject=0x30c) returned 1 [0077.851] SetErrorMode (uMode=0x1) returned 0x0 [0077.851] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4754bcd, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0077.851] SetErrorMode (uMode=0x0) returned 0x1 [0077.851] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0077.852] SetErrorMode (uMode=0x1) returned 0x0 [0077.852] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0077.853] SetErrorMode (uMode=0x0) returned 0x1 [0077.853] SetErrorMode (uMode=0x1) returned 0x0 [0077.853] SetErrorMode (uMode=0x0) returned 0x1 [0077.853] GetFileType (hFile=0x30c) returned 0x1 [0077.853] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0077.855] CloseHandle (hObject=0x30c) returned 1 [0077.855] SetErrorMode (uMode=0x1) returned 0x0 [0077.855] SetErrorMode (uMode=0x0) returned 0x1 [0077.855] GetFileType (hFile=0x30c) returned 0x1 [0077.855] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0077.858] CloseHandle (hObject=0x30c) returned 1 [0078.034] SetErrorMode (uMode=0x1) returned 0x0 [0078.034] SetErrorMode (uMode=0x0) returned 0x1 [0078.034] GetFileType (hFile=0x30c) returned 0x1 [0078.034] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.037] CloseHandle (hObject=0x30c) returned 1 [0078.037] SetErrorMode (uMode=0x1) returned 0x0 [0078.037] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe491eafa, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.037] SetErrorMode (uMode=0x0) returned 0x1 [0078.037] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.038] SetErrorMode (uMode=0x1) returned 0x0 [0078.038] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.039] SetErrorMode (uMode=0x0) returned 0x1 [0078.039] SetErrorMode (uMode=0x1) returned 0x0 [0078.039] SetErrorMode (uMode=0x0) returned 0x1 [0078.039] GetFileType (hFile=0x30c) returned 0x1 [0078.039] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.041] CloseHandle (hObject=0x30c) returned 1 [0078.041] SetErrorMode (uMode=0x1) returned 0x0 [0078.042] SetErrorMode (uMode=0x0) returned 0x1 [0078.042] GetFileType (hFile=0x30c) returned 0x1 [0078.042] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.044] CloseHandle (hObject=0x30c) returned 1 [0078.059] SetErrorMode (uMode=0x1) returned 0x0 [0078.059] SetErrorMode (uMode=0x0) returned 0x1 [0078.059] GetFileType (hFile=0x30c) returned 0x1 [0078.060] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.062] CloseHandle (hObject=0x30c) returned 1 [0078.063] SetErrorMode (uMode=0x1) returned 0x0 [0078.063] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe496acb9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.063] SetErrorMode (uMode=0x0) returned 0x1 [0078.063] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.064] SetErrorMode (uMode=0x1) returned 0x0 [0078.064] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.064] SetErrorMode (uMode=0x0) returned 0x1 [0078.064] SetErrorMode (uMode=0x1) returned 0x0 [0078.064] SetErrorMode (uMode=0x0) returned 0x1 [0078.064] GetFileType (hFile=0x30c) returned 0x1 [0078.064] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.171] CloseHandle (hObject=0x30c) returned 1 [0078.171] SetErrorMode (uMode=0x1) returned 0x0 [0078.171] SetErrorMode (uMode=0x0) returned 0x1 [0078.171] GetFileType (hFile=0x30c) returned 0x1 [0078.171] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.174] CloseHandle (hObject=0x30c) returned 1 [0078.187] SetErrorMode (uMode=0x1) returned 0x0 [0078.187] SetErrorMode (uMode=0x0) returned 0x1 [0078.187] GetFileType (hFile=0x30c) returned 0x1 [0078.187] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.192] CloseHandle (hObject=0x30c) returned 1 [0078.193] SetErrorMode (uMode=0x1) returned 0x0 [0078.193] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4a9c205, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.193] SetErrorMode (uMode=0x0) returned 0x1 [0078.193] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.194] SetErrorMode (uMode=0x1) returned 0x0 [0078.194] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.194] SetErrorMode (uMode=0x0) returned 0x1 [0078.194] SetErrorMode (uMode=0x1) returned 0x0 [0078.194] SetErrorMode (uMode=0x0) returned 0x1 [0078.194] GetFileType (hFile=0x30c) returned 0x1 [0078.194] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.196] CloseHandle (hObject=0x30c) returned 1 [0078.196] SetErrorMode (uMode=0x1) returned 0x0 [0078.196] SetErrorMode (uMode=0x0) returned 0x1 [0078.196] GetFileType (hFile=0x30c) returned 0x1 [0078.196] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.199] CloseHandle (hObject=0x30c) returned 1 [0078.212] SetErrorMode (uMode=0x1) returned 0x0 [0078.212] SetErrorMode (uMode=0x0) returned 0x1 [0078.212] GetFileType (hFile=0x30c) returned 0x1 [0078.212] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.218] CloseHandle (hObject=0x30c) returned 1 [0078.218] SetErrorMode (uMode=0x1) returned 0x0 [0078.218] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4ae8728, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.218] SetErrorMode (uMode=0x0) returned 0x1 [0078.218] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.219] SetErrorMode (uMode=0x1) returned 0x0 [0078.219] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.219] SetErrorMode (uMode=0x0) returned 0x1 [0078.219] SetErrorMode (uMode=0x1) returned 0x0 [0078.219] SetErrorMode (uMode=0x0) returned 0x1 [0078.219] GetFileType (hFile=0x30c) returned 0x1 [0078.219] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.221] CloseHandle (hObject=0x30c) returned 1 [0078.221] SetErrorMode (uMode=0x1) returned 0x0 [0078.221] SetErrorMode (uMode=0x0) returned 0x1 [0078.221] GetFileType (hFile=0x30c) returned 0x1 [0078.221] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.224] CloseHandle (hObject=0x30c) returned 1 [0078.249] SetErrorMode (uMode=0x1) returned 0x0 [0078.250] SetErrorMode (uMode=0x0) returned 0x1 [0078.250] GetFileType (hFile=0x30c) returned 0x1 [0078.250] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.254] CloseHandle (hObject=0x30c) returned 1 [0078.254] SetErrorMode (uMode=0x1) returned 0x0 [0078.254] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4b34bcf, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.254] SetErrorMode (uMode=0x0) returned 0x1 [0078.254] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.259] SetErrorMode (uMode=0x1) returned 0x0 [0078.259] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.259] SetErrorMode (uMode=0x0) returned 0x1 [0078.260] SetErrorMode (uMode=0x1) returned 0x0 [0078.260] SetErrorMode (uMode=0x0) returned 0x1 [0078.260] GetFileType (hFile=0x30c) returned 0x1 [0078.260] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.272] CloseHandle (hObject=0x30c) returned 1 [0078.272] SetErrorMode (uMode=0x1) returned 0x0 [0078.272] SetErrorMode (uMode=0x0) returned 0x1 [0078.272] GetFileType (hFile=0x30c) returned 0x1 [0078.272] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.275] CloseHandle (hObject=0x30c) returned 1 [0078.311] SetErrorMode (uMode=0x1) returned 0x0 [0078.311] SetErrorMode (uMode=0x0) returned 0x1 [0078.311] GetFileType (hFile=0x30c) returned 0x1 [0078.311] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.314] CloseHandle (hObject=0x30c) returned 1 [0078.314] SetErrorMode (uMode=0x1) returned 0x0 [0078.314] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4bcd52c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.314] SetErrorMode (uMode=0x0) returned 0x1 [0078.314] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.315] SetErrorMode (uMode=0x1) returned 0x0 [0078.315] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.315] SetErrorMode (uMode=0x0) returned 0x1 [0078.315] SetErrorMode (uMode=0x1) returned 0x0 [0078.315] SetErrorMode (uMode=0x0) returned 0x1 [0078.315] GetFileType (hFile=0x30c) returned 0x1 [0078.315] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.328] CloseHandle (hObject=0x30c) returned 1 [0078.328] SetErrorMode (uMode=0x1) returned 0x0 [0078.328] SetErrorMode (uMode=0x0) returned 0x1 [0078.328] GetFileType (hFile=0x30c) returned 0x1 [0078.328] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.331] CloseHandle (hObject=0x30c) returned 1 [0078.347] SetErrorMode (uMode=0x1) returned 0x0 [0078.347] SetErrorMode (uMode=0x0) returned 0x1 [0078.347] GetFileType (hFile=0x30c) returned 0x1 [0078.347] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.350] CloseHandle (hObject=0x30c) returned 1 [0078.350] SetErrorMode (uMode=0x1) returned 0x0 [0078.350] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4c199c3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.350] SetErrorMode (uMode=0x0) returned 0x1 [0078.350] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.351] SetErrorMode (uMode=0x1) returned 0x0 [0078.351] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.351] SetErrorMode (uMode=0x0) returned 0x1 [0078.351] SetErrorMode (uMode=0x1) returned 0x0 [0078.351] SetErrorMode (uMode=0x0) returned 0x1 [0078.351] GetFileType (hFile=0x30c) returned 0x1 [0078.352] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.358] CloseHandle (hObject=0x30c) returned 1 [0078.358] SetErrorMode (uMode=0x1) returned 0x0 [0078.358] SetErrorMode (uMode=0x0) returned 0x1 [0078.358] GetFileType (hFile=0x30c) returned 0x1 [0078.358] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.361] CloseHandle (hObject=0x30c) returned 1 [0078.379] SetErrorMode (uMode=0x1) returned 0x0 [0078.379] SetErrorMode (uMode=0x0) returned 0x1 [0078.379] GetFileType (hFile=0x30c) returned 0x1 [0078.379] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.382] CloseHandle (hObject=0x30c) returned 1 [0078.382] SetErrorMode (uMode=0x1) returned 0x0 [0078.382] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4c65ee4, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.382] SetErrorMode (uMode=0x0) returned 0x1 [0078.382] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.383] SetErrorMode (uMode=0x1) returned 0x0 [0078.383] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.384] SetErrorMode (uMode=0x0) returned 0x1 [0078.384] SetErrorMode (uMode=0x1) returned 0x0 [0078.384] SetErrorMode (uMode=0x0) returned 0x1 [0078.384] GetFileType (hFile=0x30c) returned 0x1 [0078.384] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.400] CloseHandle (hObject=0x30c) returned 1 [0078.401] SetErrorMode (uMode=0x1) returned 0x0 [0078.401] SetErrorMode (uMode=0x0) returned 0x1 [0078.401] GetFileType (hFile=0x30c) returned 0x1 [0078.401] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.404] CloseHandle (hObject=0x30c) returned 1 [0078.546] SetErrorMode (uMode=0x1) returned 0x0 [0078.546] SetErrorMode (uMode=0x0) returned 0x1 [0078.546] GetFileType (hFile=0x30c) returned 0x1 [0078.546] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.549] CloseHandle (hObject=0x30c) returned 1 [0078.549] SetErrorMode (uMode=0x1) returned 0x0 [0078.549] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4e0959e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.550] SetErrorMode (uMode=0x0) returned 0x1 [0078.550] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.550] SetErrorMode (uMode=0x1) returned 0x0 [0078.550] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.551] SetErrorMode (uMode=0x0) returned 0x1 [0078.551] SetErrorMode (uMode=0x1) returned 0x0 [0078.551] SetErrorMode (uMode=0x0) returned 0x1 [0078.551] GetFileType (hFile=0x30c) returned 0x1 [0078.551] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.553] CloseHandle (hObject=0x30c) returned 1 [0078.553] SetErrorMode (uMode=0x1) returned 0x0 [0078.553] SetErrorMode (uMode=0x0) returned 0x1 [0078.553] GetFileType (hFile=0x30c) returned 0x1 [0078.553] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.555] CloseHandle (hObject=0x30c) returned 1 [0078.585] SetErrorMode (uMode=0x1) returned 0x0 [0078.585] SetErrorMode (uMode=0x0) returned 0x1 [0078.585] GetFileType (hFile=0x30c) returned 0x1 [0078.585] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.588] CloseHandle (hObject=0x30c) returned 1 [0078.588] SetErrorMode (uMode=0x1) returned 0x0 [0078.588] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4e55d85, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.588] SetErrorMode (uMode=0x0) returned 0x1 [0078.589] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.589] SetErrorMode (uMode=0x1) returned 0x0 [0078.589] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.590] SetErrorMode (uMode=0x0) returned 0x1 [0078.590] SetErrorMode (uMode=0x1) returned 0x0 [0078.591] SetErrorMode (uMode=0x0) returned 0x1 [0078.591] GetFileType (hFile=0x30c) returned 0x1 [0078.591] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.595] CloseHandle (hObject=0x30c) returned 1 [0078.595] SetErrorMode (uMode=0x1) returned 0x0 [0078.595] SetErrorMode (uMode=0x0) returned 0x1 [0078.595] GetFileType (hFile=0x30c) returned 0x1 [0078.595] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.598] CloseHandle (hObject=0x30c) returned 1 [0078.671] SetErrorMode (uMode=0x1) returned 0x0 [0078.672] SetErrorMode (uMode=0x0) returned 0x1 [0078.672] GetFileType (hFile=0x30c) returned 0x1 [0078.672] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.674] CloseHandle (hObject=0x30c) returned 1 [0078.675] SetErrorMode (uMode=0x1) returned 0x0 [0078.675] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4f3ab97, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.675] SetErrorMode (uMode=0x0) returned 0x1 [0078.675] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.676] SetErrorMode (uMode=0x1) returned 0x0 [0078.676] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.676] SetErrorMode (uMode=0x0) returned 0x1 [0078.676] SetErrorMode (uMode=0x1) returned 0x0 [0078.676] SetErrorMode (uMode=0x0) returned 0x1 [0078.676] GetFileType (hFile=0x30c) returned 0x1 [0078.676] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.712] CloseHandle (hObject=0x30c) returned 1 [0078.712] SetErrorMode (uMode=0x1) returned 0x0 [0078.712] SetErrorMode (uMode=0x0) returned 0x1 [0078.712] GetFileType (hFile=0x30c) returned 0x1 [0078.712] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.715] CloseHandle (hObject=0x30c) returned 1 [0078.798] SetErrorMode (uMode=0x1) returned 0x0 [0078.798] SetErrorMode (uMode=0x0) returned 0x1 [0078.798] GetFileType (hFile=0x30c) returned 0x1 [0078.798] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.801] CloseHandle (hObject=0x30c) returned 1 [0078.801] SetErrorMode (uMode=0x1) returned 0x0 [0078.801] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe506bab7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.801] SetErrorMode (uMode=0x0) returned 0x1 [0078.801] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.802] SetErrorMode (uMode=0x1) returned 0x0 [0078.802] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.802] SetErrorMode (uMode=0x0) returned 0x1 [0078.802] SetErrorMode (uMode=0x1) returned 0x0 [0078.803] SetErrorMode (uMode=0x0) returned 0x1 [0078.803] GetFileType (hFile=0x30c) returned 0x1 [0078.803] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.806] CloseHandle (hObject=0x30c) returned 1 [0078.806] SetErrorMode (uMode=0x1) returned 0x0 [0078.806] SetErrorMode (uMode=0x0) returned 0x1 [0078.806] GetFileType (hFile=0x30c) returned 0x1 [0078.806] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.809] CloseHandle (hObject=0x30c) returned 1 [0078.824] SetErrorMode (uMode=0x1) returned 0x0 [0078.824] SetErrorMode (uMode=0x0) returned 0x1 [0078.824] GetFileType (hFile=0x30c) returned 0x1 [0078.824] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0078.827] CloseHandle (hObject=0x30c) returned 1 [0078.827] SetErrorMode (uMode=0x1) returned 0x0 [0078.827] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe50b8273, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0078.827] SetErrorMode (uMode=0x0) returned 0x1 [0078.827] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.828] SetErrorMode (uMode=0x1) returned 0x0 [0078.828] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000)) returned 1 [0078.915] SetErrorMode (uMode=0x0) returned 0x1 [0078.915] SetErrorMode (uMode=0x1) returned 0x0 [0078.916] SetErrorMode (uMode=0x0) returned 0x1 [0078.916] GetFileType (hFile=0x30c) returned 0x1 [0078.916] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xf1601 [0078.920] CloseHandle (hObject=0x30c) returned 1 [0078.920] SetErrorMode (uMode=0x1) returned 0x0 [0078.920] SetErrorMode (uMode=0x0) returned 0x1 [0078.920] GetFileType (hFile=0x30c) returned 0x1 [0078.920] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x101000 [0078.923] CloseHandle (hObject=0x30c) returned 1 [0078.941] SetErrorMode (uMode=0x1) returned 0x0 [0078.941] SetErrorMode (uMode=0x0) returned 0x1 [0078.941] GetFileType (hFile=0x30c) returned 0x1 [0078.941] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0xf1601 [0078.945] CloseHandle (hObject=0x30c) returned 1 [0078.945] SetErrorMode (uMode=0x1) returned 0x0 [0078.945] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe51c6440, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0)) returned 1 [0078.945] SetErrorMode (uMode=0x0) returned 0x1 [0078.945] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0078.946] SetErrorMode (uMode=0x1) returned 0x0 [0078.946] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0078.946] SetErrorMode (uMode=0x0) returned 0x1 [0078.946] SetErrorMode (uMode=0x1) returned 0x0 [0078.946] SetErrorMode (uMode=0x0) returned 0x1 [0078.946] GetFileType (hFile=0x30c) returned 0x1 [0078.946] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0078.949] CloseHandle (hObject=0x30c) returned 1 [0078.949] SetErrorMode (uMode=0x1) returned 0x0 [0078.949] SetErrorMode (uMode=0x0) returned 0x1 [0078.949] GetFileType (hFile=0x30c) returned 0x1 [0078.949] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0078.951] CloseHandle (hObject=0x30c) returned 1 [0079.048] SetErrorMode (uMode=0x1) returned 0x0 [0079.048] SetErrorMode (uMode=0x0) returned 0x1 [0079.048] GetFileType (hFile=0x30c) returned 0x1 [0079.048] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0079.050] CloseHandle (hObject=0x30c) returned 1 [0079.051] SetErrorMode (uMode=0x1) returned 0x0 [0079.051] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe52ce110, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0079.051] SetErrorMode (uMode=0x0) returned 0x1 [0079.051] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0079.052] SetErrorMode (uMode=0x1) returned 0x0 [0079.052] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0079.052] SetErrorMode (uMode=0x0) returned 0x1 [0079.052] SetErrorMode (uMode=0x1) returned 0x0 [0079.052] SetErrorMode (uMode=0x0) returned 0x1 [0079.052] GetFileType (hFile=0x30c) returned 0x1 [0079.052] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0079.054] CloseHandle (hObject=0x30c) returned 1 [0079.055] SetErrorMode (uMode=0x1) returned 0x0 [0079.055] SetErrorMode (uMode=0x0) returned 0x1 [0079.055] GetFileType (hFile=0x30c) returned 0x1 [0079.055] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0079.057] CloseHandle (hObject=0x30c) returned 1 [0079.080] SetErrorMode (uMode=0x1) returned 0x0 [0079.080] SetErrorMode (uMode=0x0) returned 0x1 [0079.080] GetFileType (hFile=0x30c) returned 0x1 [0079.080] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0079.083] CloseHandle (hObject=0x30c) returned 1 [0079.083] SetErrorMode (uMode=0x1) returned 0x0 [0079.083] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe531a830, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0079.083] SetErrorMode (uMode=0x0) returned 0x1 [0079.083] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0079.084] SetErrorMode (uMode=0x1) returned 0x0 [0079.084] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0079.084] SetErrorMode (uMode=0x0) returned 0x1 [0079.084] SetErrorMode (uMode=0x1) returned 0x0 [0079.084] SetErrorMode (uMode=0x0) returned 0x1 [0079.084] GetFileType (hFile=0x30c) returned 0x1 [0079.084] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0079.138] CloseHandle (hObject=0x30c) returned 1 [0079.141] SetErrorMode (uMode=0x1) returned 0x0 [0079.141] SetErrorMode (uMode=0x0) returned 0x1 [0079.141] GetFileType (hFile=0x30c) returned 0x1 [0079.141] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0079.144] CloseHandle (hObject=0x30c) returned 1 [0079.162] SetErrorMode (uMode=0x1) returned 0x0 [0079.162] SetErrorMode (uMode=0x0) returned 0x1 [0079.162] GetFileType (hFile=0x30c) returned 0x1 [0079.162] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0079.165] CloseHandle (hObject=0x30c) returned 1 [0079.165] SetErrorMode (uMode=0x1) returned 0x0 [0079.165] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe53d93d1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0079.165] SetErrorMode (uMode=0x0) returned 0x1 [0079.165] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0079.166] SetErrorMode (uMode=0x1) returned 0x0 [0079.166] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0079.166] SetErrorMode (uMode=0x0) returned 0x1 [0079.167] SetErrorMode (uMode=0x1) returned 0x0 [0079.167] SetErrorMode (uMode=0x0) returned 0x1 [0079.167] GetFileType (hFile=0x30c) returned 0x1 [0079.167] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0079.170] CloseHandle (hObject=0x30c) returned 1 [0079.170] SetErrorMode (uMode=0x1) returned 0x0 [0079.171] SetErrorMode (uMode=0x0) returned 0x1 [0079.171] GetFileType (hFile=0x30c) returned 0x1 [0079.171] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0079.173] CloseHandle (hObject=0x30c) returned 1 [0079.261] SetErrorMode (uMode=0x1) returned 0x0 [0079.261] SetErrorMode (uMode=0x0) returned 0x1 [0079.261] GetFileType (hFile=0x30c) returned 0x1 [0079.261] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0079.264] CloseHandle (hObject=0x30c) returned 1 [0079.264] SetErrorMode (uMode=0x1) returned 0x0 [0079.264] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe54e41dd, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0079.264] SetErrorMode (uMode=0x0) returned 0x1 [0079.264] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0079.265] SetErrorMode (uMode=0x1) returned 0x0 [0079.265] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0079.266] SetErrorMode (uMode=0x0) returned 0x1 [0079.266] SetErrorMode (uMode=0x1) returned 0x0 [0079.266] SetErrorMode (uMode=0x0) returned 0x1 [0079.266] GetFileType (hFile=0x30c) returned 0x1 [0079.266] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0079.335] CloseHandle (hObject=0x30c) returned 1 [0079.335] SetErrorMode (uMode=0x1) returned 0x0 [0079.336] SetErrorMode (uMode=0x0) returned 0x1 [0079.336] GetFileType (hFile=0x30c) returned 0x1 [0079.336] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0079.338] CloseHandle (hObject=0x30c) returned 1 [0079.351] SetErrorMode (uMode=0x1) returned 0x0 [0079.351] SetErrorMode (uMode=0x0) returned 0x1 [0079.351] GetFileType (hFile=0x30c) returned 0x1 [0079.351] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0079.354] CloseHandle (hObject=0x30c) returned 1 [0079.354] SetErrorMode (uMode=0x1) returned 0x0 [0079.354] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe55a2fe1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0079.354] SetErrorMode (uMode=0x0) returned 0x1 [0079.354] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0079.355] SetErrorMode (uMode=0x1) returned 0x0 [0079.355] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0079.426] SetErrorMode (uMode=0x0) returned 0x1 [0079.427] SetErrorMode (uMode=0x1) returned 0x0 [0079.427] SetErrorMode (uMode=0x0) returned 0x1 [0079.427] GetFileType (hFile=0x30c) returned 0x1 [0079.427] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0079.531] CloseHandle (hObject=0x30c) returned 1 [0079.532] SetErrorMode (uMode=0x1) returned 0x0 [0079.532] SetErrorMode (uMode=0x0) returned 0x1 [0079.532] GetFileType (hFile=0x30c) returned 0x1 [0079.532] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0079.534] CloseHandle (hObject=0x30c) returned 1 [0079.548] SetErrorMode (uMode=0x1) returned 0x0 [0079.548] SetErrorMode (uMode=0x0) returned 0x1 [0079.548] GetFileType (hFile=0x30c) returned 0x1 [0079.548] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0079.550] CloseHandle (hObject=0x30c) returned 1 [0079.551] SetErrorMode (uMode=0x1) returned 0x0 [0079.551] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe5792e91, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0079.551] SetErrorMode (uMode=0x0) returned 0x1 [0079.551] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0079.552] SetErrorMode (uMode=0x1) returned 0x0 [0079.552] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0079.552] SetErrorMode (uMode=0x0) returned 0x1 [0079.552] SetErrorMode (uMode=0x1) returned 0x0 [0079.552] SetErrorMode (uMode=0x0) returned 0x1 [0079.552] GetFileType (hFile=0x30c) returned 0x1 [0079.552] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0079.599] CloseHandle (hObject=0x30c) returned 1 [0079.599] SetErrorMode (uMode=0x1) returned 0x0 [0079.599] SetErrorMode (uMode=0x0) returned 0x1 [0079.599] GetFileType (hFile=0x30c) returned 0x1 [0079.599] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0079.601] CloseHandle (hObject=0x30c) returned 1 [0079.666] SetErrorMode (uMode=0x1) returned 0x0 [0079.668] SetErrorMode (uMode=0x0) returned 0x1 [0079.669] GetFileType (hFile=0x30c) returned 0x1 [0079.669] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0079.673] CloseHandle (hObject=0x30c) returned 1 [0079.673] SetErrorMode (uMode=0x1) returned 0x0 [0079.673] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe58c41f9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0079.674] SetErrorMode (uMode=0x0) returned 0x1 [0079.674] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0079.675] SetErrorMode (uMode=0x1) returned 0x0 [0079.676] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0079.676] SetErrorMode (uMode=0x0) returned 0x1 [0079.676] SetErrorMode (uMode=0x1) returned 0x0 [0079.676] SetErrorMode (uMode=0x0) returned 0x1 [0079.676] GetFileType (hFile=0x30c) returned 0x1 [0079.676] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0079.679] CloseHandle (hObject=0x30c) returned 1 [0079.679] SetErrorMode (uMode=0x1) returned 0x0 [0079.679] SetErrorMode (uMode=0x0) returned 0x1 [0079.679] GetFileType (hFile=0x30c) returned 0x1 [0079.679] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0079.682] CloseHandle (hObject=0x30c) returned 1 [0079.780] SetErrorMode (uMode=0x1) returned 0x0 [0079.781] SetErrorMode (uMode=0x0) returned 0x1 [0079.781] GetFileType (hFile=0x30c) returned 0x1 [0079.781] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0079.788] CloseHandle (hObject=0x30c) returned 1 [0079.789] SetErrorMode (uMode=0x1) returned 0x0 [0079.789] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe59ece1d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0079.789] SetErrorMode (uMode=0x0) returned 0x1 [0079.789] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0079.790] SetErrorMode (uMode=0x1) returned 0x0 [0079.790] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0079.790] SetErrorMode (uMode=0x0) returned 0x1 [0079.790] SetErrorMode (uMode=0x1) returned 0x0 [0079.791] SetErrorMode (uMode=0x0) returned 0x1 [0079.791] GetFileType (hFile=0x30c) returned 0x1 [0079.791] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0079.793] CloseHandle (hObject=0x30c) returned 1 [0079.793] SetErrorMode (uMode=0x1) returned 0x0 [0079.793] SetErrorMode (uMode=0x0) returned 0x1 [0079.793] GetFileType (hFile=0x30c) returned 0x1 [0079.793] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0079.796] CloseHandle (hObject=0x30c) returned 1 [0079.899] SetErrorMode (uMode=0x1) returned 0x0 [0079.899] SetErrorMode (uMode=0x0) returned 0x1 [0079.899] GetFileType (hFile=0x30c) returned 0x1 [0079.899] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0079.902] CloseHandle (hObject=0x30c) returned 1 [0079.902] SetErrorMode (uMode=0x1) returned 0x0 [0079.902] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe5ae5a84, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0079.902] SetErrorMode (uMode=0x0) returned 0x1 [0079.902] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0079.903] SetErrorMode (uMode=0x1) returned 0x0 [0079.903] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0079.903] SetErrorMode (uMode=0x0) returned 0x1 [0079.903] SetErrorMode (uMode=0x1) returned 0x0 [0079.903] SetErrorMode (uMode=0x0) returned 0x1 [0079.904] GetFileType (hFile=0x30c) returned 0x1 [0079.904] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0079.906] CloseHandle (hObject=0x30c) returned 1 [0079.906] SetErrorMode (uMode=0x1) returned 0x0 [0079.906] SetErrorMode (uMode=0x0) returned 0x1 [0079.906] GetFileType (hFile=0x30c) returned 0x1 [0079.906] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0079.912] CloseHandle (hObject=0x30c) returned 1 [0079.928] SetErrorMode (uMode=0x1) returned 0x0 [0079.928] SetErrorMode (uMode=0x0) returned 0x1 [0079.928] GetFileType (hFile=0x30c) returned 0x1 [0079.928] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0079.931] CloseHandle (hObject=0x30c) returned 1 [0079.931] SetErrorMode (uMode=0x1) returned 0x0 [0079.931] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe5b31ee5, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0079.931] SetErrorMode (uMode=0x0) returned 0x1 [0079.932] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0079.932] SetErrorMode (uMode=0x1) returned 0x0 [0079.932] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0080.067] SetErrorMode (uMode=0x0) returned 0x1 [0080.068] SetErrorMode (uMode=0x1) returned 0x0 [0080.068] SetErrorMode (uMode=0x0) returned 0x1 [0080.068] GetFileType (hFile=0x30c) returned 0x1 [0080.068] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0080.070] CloseHandle (hObject=0x30c) returned 1 [0080.071] SetErrorMode (uMode=0x1) returned 0x0 [0080.071] SetErrorMode (uMode=0x0) returned 0x1 [0080.071] GetFileType (hFile=0x30c) returned 0x1 [0080.071] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0080.073] CloseHandle (hObject=0x30c) returned 1 [0080.226] SetErrorMode (uMode=0x1) returned 0x0 [0080.226] SetErrorMode (uMode=0x0) returned 0x1 [0080.226] GetFileType (hFile=0x30c) returned 0x1 [0080.226] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0080.231] CloseHandle (hObject=0x30c) returned 1 [0080.232] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx", lpFilePart=0x0) returned 0x31 [0080.232] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x61 [0080.232] SetErrorMode (uMode=0x1) returned 0x0 [0080.232] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe5e06b65, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0080.232] SetErrorMode (uMode=0x0) returned 0x1 [0080.232] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0080.233] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx", lpFilePart=0x0) returned 0x31 [0080.233] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx")) returned 0 [0080.233] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpFilePart=0x0) returned 0x39 [0080.233] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpFilePart=0x0) returned 0x39 [0080.234] SetErrorMode (uMode=0x1) returned 0x0 [0080.234] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0080.234] SetErrorMode (uMode=0x0) returned 0x1 [0080.235] SetErrorMode (uMode=0x1) returned 0x0 [0080.235] SetErrorMode (uMode=0x0) returned 0x1 [0080.235] GetFileType (hFile=0x30c) returned 0x1 [0080.235] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0080.235] ReadFile (in: hFile=0x30c, lpBuffer=0x3008180, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3008180*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0080.237] CloseHandle (hObject=0x30c) returned 1 [0080.237] SetErrorMode (uMode=0x1) returned 0x0 [0080.237] SetErrorMode (uMode=0x0) returned 0x1 [0080.237] GetFileType (hFile=0x30c) returned 0x1 [0080.237] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0080.237] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0080.238] SetEndOfFile (hFile=0x30c) returned 1 [0080.240] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0080.240] CloseHandle (hObject=0x30c) returned 1 [0080.389] SetErrorMode (uMode=0x1) returned 0x0 [0080.389] SetErrorMode (uMode=0x0) returned 0x1 [0080.389] GetFileType (hFile=0x30c) returned 0x1 [0080.389] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0080.497] CloseHandle (hObject=0x30c) returned 1 [0080.498] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpFilePart=0x0) returned 0x39 [0080.498] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x69 [0080.498] SetErrorMode (uMode=0x1) returned 0x0 [0080.498] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe608f3be, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0080.498] SetErrorMode (uMode=0x0) returned 0x1 [0080.498] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0080.499] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpFilePart=0x0) returned 0x39 [0080.499] SetErrorMode (uMode=0x1) returned 0x0 [0080.499] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0080.500] SetErrorMode (uMode=0x0) returned 0x1 [0080.500] SetErrorMode (uMode=0x1) returned 0x0 [0080.500] SetErrorMode (uMode=0x0) returned 0x1 [0080.500] GetFileType (hFile=0x30c) returned 0x1 [0080.500] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0080.500] ReadFile (in: hFile=0x30c, lpBuffer=0x308c458, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x308c458*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0080.502] CloseHandle (hObject=0x30c) returned 1 [0080.502] SetErrorMode (uMode=0x1) returned 0x0 [0080.502] SetErrorMode (uMode=0x0) returned 0x1 [0080.502] GetFileType (hFile=0x30c) returned 0x1 [0080.503] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0080.503] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0080.503] SetEndOfFile (hFile=0x30c) returned 1 [0080.505] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0080.505] CloseHandle (hObject=0x30c) returned 1 [0080.524] SetErrorMode (uMode=0x1) returned 0x0 [0080.524] SetErrorMode (uMode=0x0) returned 0x1 [0080.524] GetFileType (hFile=0x30c) returned 0x1 [0080.524] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0080.527] CloseHandle (hObject=0x30c) returned 1 [0080.527] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpFilePart=0x0) returned 0x4a [0080.527] SetErrorMode (uMode=0x1) returned 0x0 [0080.527] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe60db818, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0080.528] SetErrorMode (uMode=0x0) returned 0x1 [0080.528] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0080.528] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpFilePart=0x0) returned 0x4a [0080.528] SetErrorMode (uMode=0x1) returned 0x0 [0080.528] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0080.529] SetErrorMode (uMode=0x0) returned 0x1 [0080.529] SetErrorMode (uMode=0x1) returned 0x0 [0080.529] SetErrorMode (uMode=0x0) returned 0x1 [0080.529] GetFileType (hFile=0x30c) returned 0x1 [0080.529] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0080.529] ReadFile (in: hFile=0x30c, lpBuffer=0x31119d8, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x31119d8*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0080.535] CloseHandle (hObject=0x30c) returned 1 [0080.535] SetErrorMode (uMode=0x1) returned 0x0 [0080.535] SetErrorMode (uMode=0x0) returned 0x1 [0080.535] GetFileType (hFile=0x30c) returned 0x1 [0080.535] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0080.535] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0080.535] SetEndOfFile (hFile=0x30c) returned 1 [0080.538] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0080.538] CloseHandle (hObject=0x30c) returned 1 [0080.557] SetErrorMode (uMode=0x1) returned 0x0 [0080.557] SetErrorMode (uMode=0x0) returned 0x1 [0080.557] GetFileType (hFile=0x30c) returned 0x1 [0080.557] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0080.560] CloseHandle (hObject=0x30c) returned 1 [0080.560] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpFilePart=0x0) returned 0x50 [0080.560] SetErrorMode (uMode=0x1) returned 0x0 [0080.560] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6127d6f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0080.560] SetErrorMode (uMode=0x0) returned 0x1 [0080.561] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0080.561] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpFilePart=0x0) returned 0x50 [0080.561] SetErrorMode (uMode=0x1) returned 0x0 [0080.562] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0080.563] SetErrorMode (uMode=0x0) returned 0x1 [0080.563] SetErrorMode (uMode=0x1) returned 0x0 [0080.563] SetErrorMode (uMode=0x0) returned 0x1 [0080.563] GetFileType (hFile=0x30c) returned 0x1 [0080.563] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0080.563] ReadFile (in: hFile=0x30c, lpBuffer=0x31bc5e0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x31bc5e0*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0080.565] CloseHandle (hObject=0x30c) returned 1 [0080.565] SetErrorMode (uMode=0x1) returned 0x0 [0080.565] SetErrorMode (uMode=0x0) returned 0x1 [0080.565] GetFileType (hFile=0x30c) returned 0x1 [0080.565] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0080.565] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0080.565] SetEndOfFile (hFile=0x30c) returned 1 [0080.568] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0080.568] CloseHandle (hObject=0x30c) returned 1 [0080.838] SetErrorMode (uMode=0x1) returned 0x0 [0080.838] SetErrorMode (uMode=0x0) returned 0x1 [0080.838] GetFileType (hFile=0x30c) returned 0x1 [0080.838] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0080.842] CloseHandle (hObject=0x30c) returned 1 [0080.842] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpFilePart=0x0) returned 0x4e [0080.842] SetErrorMode (uMode=0x1) returned 0x0 [0080.842] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe63d6676, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0080.842] SetErrorMode (uMode=0x0) returned 0x1 [0080.842] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0080.843] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpFilePart=0x0) returned 0x4e [0080.844] SetErrorMode (uMode=0x1) returned 0x0 [0080.844] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0080.844] SetErrorMode (uMode=0x0) returned 0x1 [0080.845] SetErrorMode (uMode=0x1) returned 0x0 [0080.845] SetErrorMode (uMode=0x0) returned 0x1 [0080.845] GetFileType (hFile=0x30c) returned 0x1 [0080.845] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0080.845] ReadFile (in: hFile=0x30c, lpBuffer=0x3240a90, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3240a90*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0080.847] CloseHandle (hObject=0x30c) returned 1 [0080.847] SetErrorMode (uMode=0x1) returned 0x0 [0080.847] SetErrorMode (uMode=0x0) returned 0x1 [0080.847] GetFileType (hFile=0x30c) returned 0x1 [0080.847] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0080.847] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0080.847] SetEndOfFile (hFile=0x30c) returned 1 [0080.850] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0080.850] CloseHandle (hObject=0x30c) returned 1 [0080.869] SetErrorMode (uMode=0x1) returned 0x0 [0080.869] SetErrorMode (uMode=0x0) returned 0x1 [0080.869] GetFileType (hFile=0x30c) returned 0x1 [0080.869] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0080.872] CloseHandle (hObject=0x30c) returned 1 [0080.872] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpFilePart=0x0) returned 0x54 [0080.872] SetErrorMode (uMode=0x1) returned 0x0 [0080.872] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe64229fa, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0080.872] SetErrorMode (uMode=0x0) returned 0x1 [0080.872] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0080.873] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpFilePart=0x0) returned 0x54 [0080.873] SetErrorMode (uMode=0x1) returned 0x0 [0080.873] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0080.873] SetErrorMode (uMode=0x0) returned 0x1 [0080.873] SetErrorMode (uMode=0x1) returned 0x0 [0080.873] SetErrorMode (uMode=0x0) returned 0x1 [0080.874] GetFileType (hFile=0x30c) returned 0x1 [0080.874] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0080.874] ReadFile (in: hFile=0x30c, lpBuffer=0x32c4f08, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x32c4f08*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0080.989] CloseHandle (hObject=0x30c) returned 1 [0080.989] SetErrorMode (uMode=0x1) returned 0x0 [0080.989] SetErrorMode (uMode=0x0) returned 0x1 [0080.989] GetFileType (hFile=0x30c) returned 0x1 [0080.989] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0080.989] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0080.989] SetEndOfFile (hFile=0x30c) returned 1 [0080.992] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0080.992] CloseHandle (hObject=0x30c) returned 1 [0081.025] SetErrorMode (uMode=0x1) returned 0x0 [0081.025] SetErrorMode (uMode=0x0) returned 0x1 [0081.025] GetFileType (hFile=0x30c) returned 0x1 [0081.025] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0081.028] CloseHandle (hObject=0x30c) returned 1 [0081.028] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx", lpFilePart=0x0) returned 0x32 [0081.028] SetErrorMode (uMode=0x1) returned 0x0 [0081.028] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe65a019e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0081.028] SetErrorMode (uMode=0x0) returned 0x1 [0081.028] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0081.029] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx", lpFilePart=0x0) returned 0x32 [0081.029] SetErrorMode (uMode=0x1) returned 0x0 [0081.029] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0081.029] SetErrorMode (uMode=0x0) returned 0x1 [0081.029] SetErrorMode (uMode=0x1) returned 0x0 [0081.029] SetErrorMode (uMode=0x0) returned 0x1 [0081.029] GetFileType (hFile=0x30c) returned 0x1 [0081.030] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0081.030] ReadFile (in: hFile=0x30c, lpBuffer=0x3005820, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3005820*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0081.126] CloseHandle (hObject=0x30c) returned 1 [0081.126] SetErrorMode (uMode=0x1) returned 0x0 [0081.126] SetErrorMode (uMode=0x0) returned 0x1 [0081.126] GetFileType (hFile=0x30c) returned 0x1 [0081.126] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0081.126] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0081.127] SetEndOfFile (hFile=0x30c) returned 1 [0081.129] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0081.129] CloseHandle (hObject=0x30c) returned 1 [0081.147] SetErrorMode (uMode=0x1) returned 0x0 [0081.147] SetErrorMode (uMode=0x0) returned 0x1 [0081.148] GetFileType (hFile=0x30c) returned 0x1 [0081.148] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0081.151] CloseHandle (hObject=0x30c) returned 1 [0081.151] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx", lpFilePart=0x0) returned 0x40 [0081.151] SetErrorMode (uMode=0x1) returned 0x0 [0081.151] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe66d1478, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0081.151] SetErrorMode (uMode=0x0) returned 0x1 [0081.151] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0081.152] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx", lpFilePart=0x0) returned 0x40 [0081.152] SetErrorMode (uMode=0x1) returned 0x0 [0081.152] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0081.152] SetErrorMode (uMode=0x0) returned 0x1 [0081.152] SetErrorMode (uMode=0x1) returned 0x0 [0081.152] SetErrorMode (uMode=0x0) returned 0x1 [0081.152] GetFileType (hFile=0x30c) returned 0x1 [0081.152] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0081.153] ReadFile (in: hFile=0x30c, lpBuffer=0x3089b20, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3089b20*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0081.156] CloseHandle (hObject=0x30c) returned 1 [0081.156] SetErrorMode (uMode=0x1) returned 0x0 [0081.157] SetErrorMode (uMode=0x0) returned 0x1 [0081.157] GetFileType (hFile=0x30c) returned 0x1 [0081.157] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0081.157] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0081.157] SetEndOfFile (hFile=0x30c) returned 1 [0081.159] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0081.159] CloseHandle (hObject=0x30c) returned 1 [0081.264] SetErrorMode (uMode=0x1) returned 0x0 [0081.264] SetErrorMode (uMode=0x0) returned 0x1 [0081.264] GetFileType (hFile=0x30c) returned 0x1 [0081.264] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0081.267] CloseHandle (hObject=0x30c) returned 1 [0081.267] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpFilePart=0x0) returned 0x34 [0081.267] SetErrorMode (uMode=0x1) returned 0x0 [0081.267] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6802927, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0081.268] SetErrorMode (uMode=0x0) returned 0x1 [0081.268] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0081.268] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpFilePart=0x0) returned 0x34 [0081.268] SetErrorMode (uMode=0x1) returned 0x0 [0081.268] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0081.269] SetErrorMode (uMode=0x0) returned 0x1 [0081.269] SetErrorMode (uMode=0x1) returned 0x0 [0081.269] SetErrorMode (uMode=0x0) returned 0x1 [0081.269] GetFileType (hFile=0x30c) returned 0x1 [0081.269] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0081.269] ReadFile (in: hFile=0x30c, lpBuffer=0x310dd30, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x310dd30*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0081.279] CloseHandle (hObject=0x30c) returned 1 [0081.280] SetErrorMode (uMode=0x1) returned 0x0 [0081.280] SetErrorMode (uMode=0x0) returned 0x1 [0081.280] GetFileType (hFile=0x30c) returned 0x1 [0081.280] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0081.280] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0081.280] SetEndOfFile (hFile=0x30c) returned 1 [0081.283] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0081.284] CloseHandle (hObject=0x30c) returned 1 [0081.303] SetErrorMode (uMode=0x1) returned 0x0 [0081.303] SetErrorMode (uMode=0x0) returned 0x1 [0081.303] GetFileType (hFile=0x30c) returned 0x1 [0081.303] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0081.409] CloseHandle (hObject=0x30c) returned 1 [0081.410] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpFilePart=0x0) returned 0x35 [0081.410] SetErrorMode (uMode=0x1) returned 0x0 [0081.410] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6959b68, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0081.410] SetErrorMode (uMode=0x0) returned 0x1 [0081.410] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0081.411] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpFilePart=0x0) returned 0x35 [0081.411] SetErrorMode (uMode=0x1) returned 0x0 [0081.411] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0081.413] SetErrorMode (uMode=0x0) returned 0x1 [0081.413] SetErrorMode (uMode=0x1) returned 0x0 [0081.413] SetErrorMode (uMode=0x0) returned 0x1 [0081.413] GetFileType (hFile=0x30c) returned 0x1 [0081.413] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0081.413] ReadFile (in: hFile=0x30c, lpBuffer=0x3192058, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3192058*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0081.415] CloseHandle (hObject=0x30c) returned 1 [0081.415] SetErrorMode (uMode=0x1) returned 0x0 [0081.415] SetErrorMode (uMode=0x0) returned 0x1 [0081.415] GetFileType (hFile=0x30c) returned 0x1 [0081.415] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0081.416] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0081.416] SetEndOfFile (hFile=0x30c) returned 1 [0081.418] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0081.418] CloseHandle (hObject=0x30c) returned 1 [0081.437] SetErrorMode (uMode=0x1) returned 0x0 [0081.438] SetErrorMode (uMode=0x0) returned 0x1 [0081.438] GetFileType (hFile=0x30c) returned 0x1 [0081.438] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0081.441] CloseHandle (hObject=0x30c) returned 1 [0081.441] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpFilePart=0x0) returned 0x41 [0081.441] SetErrorMode (uMode=0x1) returned 0x0 [0081.441] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe69a633e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0081.441] SetErrorMode (uMode=0x0) returned 0x1 [0081.441] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0081.442] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpFilePart=0x0) returned 0x41 [0081.442] SetErrorMode (uMode=0x1) returned 0x0 [0081.442] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0081.442] SetErrorMode (uMode=0x0) returned 0x1 [0081.442] SetErrorMode (uMode=0x1) returned 0x0 [0081.442] SetErrorMode (uMode=0x0) returned 0x1 [0081.442] GetFileType (hFile=0x30c) returned 0x1 [0081.442] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0081.442] ReadFile (in: hFile=0x30c, lpBuffer=0x3016a68, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3016a68*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0081.531] CloseHandle (hObject=0x30c) returned 1 [0081.532] SetErrorMode (uMode=0x1) returned 0x0 [0081.532] SetErrorMode (uMode=0x0) returned 0x1 [0081.532] GetFileType (hFile=0x30c) returned 0x1 [0081.532] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0081.532] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0081.532] SetEndOfFile (hFile=0x30c) returned 1 [0081.534] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0081.534] CloseHandle (hObject=0x30c) returned 1 [0081.553] SetErrorMode (uMode=0x1) returned 0x0 [0081.553] SetErrorMode (uMode=0x0) returned 0x1 [0081.553] GetFileType (hFile=0x30c) returned 0x1 [0081.554] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0081.556] CloseHandle (hObject=0x30c) returned 1 [0081.557] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx", lpFilePart=0x0) returned 0x32 [0081.557] SetErrorMode (uMode=0x1) returned 0x0 [0081.557] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6ab11c2, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0081.557] SetErrorMode (uMode=0x0) returned 0x1 [0081.557] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0081.557] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx", lpFilePart=0x0) returned 0x32 [0081.558] SetErrorMode (uMode=0x1) returned 0x0 [0081.558] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0081.558] SetErrorMode (uMode=0x0) returned 0x1 [0081.558] SetErrorMode (uMode=0x1) returned 0x0 [0081.558] SetErrorMode (uMode=0x0) returned 0x1 [0081.558] GetFileType (hFile=0x30c) returned 0x1 [0081.558] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0081.558] ReadFile (in: hFile=0x30c, lpBuffer=0x309ac58, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x309ac58*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0081.560] CloseHandle (hObject=0x30c) returned 1 [0081.560] SetErrorMode (uMode=0x1) returned 0x0 [0081.560] SetErrorMode (uMode=0x0) returned 0x1 [0081.561] GetFileType (hFile=0x30c) returned 0x1 [0081.561] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0081.561] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0081.561] SetEndOfFile (hFile=0x30c) returned 1 [0081.564] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0081.564] CloseHandle (hObject=0x30c) returned 1 [0081.696] SetErrorMode (uMode=0x1) returned 0x0 [0081.697] SetErrorMode (uMode=0x0) returned 0x1 [0081.697] GetFileType (hFile=0x30c) returned 0x1 [0081.697] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0081.700] CloseHandle (hObject=0x30c) returned 1 [0081.700] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx", lpFilePart=0x0) returned 0x3c [0081.700] SetErrorMode (uMode=0x1) returned 0x0 [0081.700] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6c08893, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0081.700] SetErrorMode (uMode=0x0) returned 0x1 [0081.700] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0081.701] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx", lpFilePart=0x0) returned 0x3c [0081.701] SetErrorMode (uMode=0x1) returned 0x0 [0081.701] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0081.704] SetErrorMode (uMode=0x0) returned 0x1 [0081.704] SetErrorMode (uMode=0x1) returned 0x0 [0081.704] SetErrorMode (uMode=0x0) returned 0x1 [0081.704] GetFileType (hFile=0x30c) returned 0x1 [0081.704] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0081.704] ReadFile (in: hFile=0x30c, lpBuffer=0x2ff46d0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x2ff46d0*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0081.706] CloseHandle (hObject=0x30c) returned 1 [0081.707] SetErrorMode (uMode=0x1) returned 0x0 [0081.707] SetErrorMode (uMode=0x0) returned 0x1 [0081.707] GetFileType (hFile=0x30c) returned 0x1 [0081.707] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0081.707] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0081.707] SetEndOfFile (hFile=0x30c) returned 1 [0081.709] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0081.709] CloseHandle (hObject=0x30c) returned 1 [0081.803] SetErrorMode (uMode=0x1) returned 0x0 [0081.804] SetErrorMode (uMode=0x0) returned 0x1 [0081.804] GetFileType (hFile=0x30c) returned 0x1 [0081.804] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0081.807] CloseHandle (hObject=0x30c) returned 1 [0081.807] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx", lpFilePart=0x0) returned 0x34 [0081.807] SetErrorMode (uMode=0x1) returned 0x0 [0081.807] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6d13918, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0081.807] SetErrorMode (uMode=0x0) returned 0x1 [0081.807] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0081.808] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx", lpFilePart=0x0) returned 0x34 [0081.808] SetErrorMode (uMode=0x1) returned 0x0 [0081.808] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0081.808] SetErrorMode (uMode=0x0) returned 0x1 [0081.809] SetErrorMode (uMode=0x1) returned 0x0 [0081.809] SetErrorMode (uMode=0x0) returned 0x1 [0081.809] GetFileType (hFile=0x30c) returned 0x1 [0081.809] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0081.809] ReadFile (in: hFile=0x30c, lpBuffer=0x30789b8, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x30789b8*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0081.823] CloseHandle (hObject=0x30c) returned 1 [0081.823] SetErrorMode (uMode=0x1) returned 0x0 [0081.823] SetErrorMode (uMode=0x0) returned 0x1 [0081.823] GetFileType (hFile=0x30c) returned 0x1 [0081.823] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0081.823] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0081.823] SetEndOfFile (hFile=0x30c) returned 1 [0081.826] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0081.826] CloseHandle (hObject=0x30c) returned 1 [0081.839] SetErrorMode (uMode=0x1) returned 0x0 [0081.839] SetErrorMode (uMode=0x0) returned 0x1 [0081.839] GetFileType (hFile=0x30c) returned 0x1 [0081.839] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0081.842] CloseHandle (hObject=0x30c) returned 1 [0081.843] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpFilePart=0x0) returned 0x5a [0081.843] SetErrorMode (uMode=0x1) returned 0x0 [0081.843] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6d5fb20, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0081.843] SetErrorMode (uMode=0x0) returned 0x1 [0081.843] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0081.844] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpFilePart=0x0) returned 0x5a [0081.844] SetErrorMode (uMode=0x1) returned 0x0 [0081.844] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000)) returned 1 [0081.950] SetErrorMode (uMode=0x0) returned 0x1 [0081.951] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpFilePart=0x0) returned 0x50 [0081.951] SetErrorMode (uMode=0x1) returned 0x0 [0081.951] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0081.951] GetFileType (hFile=0x30c) returned 0x1 [0081.951] SetErrorMode (uMode=0x0) returned 0x1 [0081.951] GetFileType (hFile=0x30c) returned 0x1 [0081.951] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xf1601 [0081.952] ReadFile (in: hFile=0x30c, lpBuffer=0x30fd008, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x30fd008*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0081.957] CloseHandle (hObject=0x30c) returned 1 [0081.957] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpFilePart=0x0) returned 0x50 [0081.957] SetErrorMode (uMode=0x1) returned 0x0 [0081.957] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0081.957] GetFileType (hFile=0x30c) returned 0x1 [0081.957] SetErrorMode (uMode=0x0) returned 0x1 [0081.957] GetFileType (hFile=0x30c) returned 0x1 [0081.957] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x101000 [0081.958] SetFilePointer (in: hFile=0x30c, lDistanceToMove=988673, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0xf1601 [0081.958] SetEndOfFile (hFile=0x30c) returned 1 [0081.961] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0081.961] CloseHandle (hObject=0x30c) returned 1 [0082.121] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpFilePart=0x0) returned 0x50 [0082.121] SetErrorMode (uMode=0x1) returned 0x0 [0082.121] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0082.122] GetFileType (hFile=0x30c) returned 0x1 [0082.122] SetErrorMode (uMode=0x0) returned 0x1 [0082.122] GetFileType (hFile=0x30c) returned 0x1 [0082.122] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0xf1601 [0082.301] CloseHandle (hObject=0x30c) returned 1 [0082.302] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpFilePart=0x0) returned 0x50 [0082.302] SetErrorMode (uMode=0x1) returned 0x0 [0082.302] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe71d8167, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0)) returned 1 [0082.302] SetErrorMode (uMode=0x0) returned 0x1 [0082.302] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0082.303] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpFilePart=0x0) returned 0x50 [0082.304] SetErrorMode (uMode=0x1) returned 0x0 [0082.304] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0082.304] SetErrorMode (uMode=0x0) returned 0x1 [0082.304] SetErrorMode (uMode=0x1) returned 0x0 [0082.304] SetErrorMode (uMode=0x0) returned 0x1 [0082.304] GetFileType (hFile=0x30c) returned 0x1 [0082.304] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0082.304] ReadFile (in: hFile=0x30c, lpBuffer=0x3181548, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3181548*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0082.306] CloseHandle (hObject=0x30c) returned 1 [0082.306] SetErrorMode (uMode=0x1) returned 0x0 [0082.306] SetErrorMode (uMode=0x0) returned 0x1 [0082.306] GetFileType (hFile=0x30c) returned 0x1 [0082.306] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0082.306] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0082.306] SetEndOfFile (hFile=0x30c) returned 1 [0082.309] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0082.309] CloseHandle (hObject=0x30c) returned 1 [0082.325] SetErrorMode (uMode=0x1) returned 0x0 [0082.325] SetErrorMode (uMode=0x0) returned 0x1 [0082.325] GetFileType (hFile=0x30c) returned 0x1 [0082.325] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0082.336] CloseHandle (hObject=0x30c) returned 1 [0082.336] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpFilePart=0x0) returned 0x41 [0082.336] SetErrorMode (uMode=0x1) returned 0x0 [0082.336] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe722493c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0082.336] SetErrorMode (uMode=0x0) returned 0x1 [0082.336] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0082.337] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpFilePart=0x0) returned 0x41 [0082.337] SetErrorMode (uMode=0x1) returned 0x0 [0082.337] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0082.338] SetErrorMode (uMode=0x0) returned 0x1 [0082.338] SetErrorMode (uMode=0x1) returned 0x0 [0082.338] SetErrorMode (uMode=0x0) returned 0x1 [0082.338] GetFileType (hFile=0x30c) returned 0x1 [0082.338] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0082.338] ReadFile (in: hFile=0x30c, lpBuffer=0x30196d8, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x30196d8*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0082.381] CloseHandle (hObject=0x30c) returned 1 [0082.382] SetErrorMode (uMode=0x1) returned 0x0 [0082.383] SetErrorMode (uMode=0x0) returned 0x1 [0082.383] GetFileType (hFile=0x30c) returned 0x1 [0082.383] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0082.383] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0082.383] SetEndOfFile (hFile=0x30c) returned 1 [0082.385] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0082.385] CloseHandle (hObject=0x30c) returned 1 [0082.399] SetErrorMode (uMode=0x1) returned 0x0 [0082.399] SetErrorMode (uMode=0x0) returned 0x1 [0082.399] GetFileType (hFile=0x30c) returned 0x1 [0082.399] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0082.402] CloseHandle (hObject=0x30c) returned 1 [0082.402] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx", lpFilePart=0x0) returned 0x34 [0082.402] SetErrorMode (uMode=0x1) returned 0x0 [0082.402] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe72bd22b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0082.402] SetErrorMode (uMode=0x0) returned 0x1 [0082.402] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0082.403] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx", lpFilePart=0x0) returned 0x34 [0082.403] SetErrorMode (uMode=0x1) returned 0x0 [0082.403] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000)) returned 1 [0082.403] SetErrorMode (uMode=0x0) returned 0x1 [0082.403] SetErrorMode (uMode=0x1) returned 0x0 [0082.403] SetErrorMode (uMode=0x0) returned 0x1 [0082.404] GetFileType (hFile=0x30c) returned 0x1 [0082.404] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0xf1601 [0082.404] ReadFile (in: hFile=0x30c, lpBuffer=0x309d900, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x309d900*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0082.408] CloseHandle (hObject=0x30c) returned 1 [0082.408] SetErrorMode (uMode=0x1) returned 0x0 [0082.408] SetErrorMode (uMode=0x0) returned 0x1 [0082.408] GetFileType (hFile=0x30c) returned 0x1 [0082.408] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x101000 [0082.408] SetFilePointer (in: hFile=0x30c, lDistanceToMove=988673, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0xf1601 [0082.408] SetEndOfFile (hFile=0x30c) returned 1 [0082.411] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0082.411] CloseHandle (hObject=0x30c) returned 1 [0082.486] SetErrorMode (uMode=0x1) returned 0x0 [0082.487] SetErrorMode (uMode=0x0) returned 0x1 [0082.487] GetFileType (hFile=0x30c) returned 0x1 [0082.487] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0xf1601 [0082.491] CloseHandle (hObject=0x30c) returned 1 [0082.491] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx", lpFilePart=0x0) returned 0x38 [0082.491] SetErrorMode (uMode=0x1) returned 0x0 [0082.491] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe73a1e3d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0)) returned 1 [0082.492] SetErrorMode (uMode=0x0) returned 0x1 [0082.492] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0082.493] GetFullPathNameW (in: lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx", lpFilePart=0x0) returned 0x38 [0082.493] SetErrorMode (uMode=0x1) returned 0x0 [0082.493] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9a458f4, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000)) returned 1 [0082.493] SetErrorMode (uMode=0x0) returned 0x1 [0082.493] SetErrorMode (uMode=0x1) returned 0x0 [0082.493] SetErrorMode (uMode=0x0) returned 0x1 [0082.493] GetFileType (hFile=0x30c) returned 0x1 [0082.493] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x101601 [0082.493] ReadFile (in: hFile=0x30c, lpBuffer=0x3121aa0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3121aa0*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0082.495] CloseHandle (hObject=0x30c) returned 1 [0082.495] SetErrorMode (uMode=0x1) returned 0x0 [0082.495] SetErrorMode (uMode=0x0) returned 0x1 [0082.495] GetFileType (hFile=0x30c) returned 0x1 [0082.496] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x111000 [0082.496] SetFilePointer (in: hFile=0x30c, lDistanceToMove=1054209, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x101601 [0082.496] SetEndOfFile (hFile=0x30c) returned 1 [0082.498] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0082.498] CloseHandle (hObject=0x30c) returned 1 [0082.619] GetFullPathNameW (in: lpFileName="C:\\Logs\\Security.evtx", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Security.evtx", lpFilePart=0x0) returned 0x15 [0082.619] SetErrorMode (uMode=0x1) returned 0x0 [0082.619] CreateFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0082.620] GetFileType (hFile=0x30c) returned 0x1 [0082.620] SetErrorMode (uMode=0x0) returned 0x1 [0082.620] GetFileType (hFile=0x30c) returned 0x1 [0082.620] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x101601 [0082.620] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.621] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.621] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.622] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.622] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.622] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.623] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.623] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.623] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.624] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.625] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.625] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.625] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.626] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.626] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.626] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.626] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.627] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.627] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.627] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.627] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.627] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.628] WriteFile (in: hFile=0x30c, lpBuffer=0x30160d8*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x30160d8*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0082.628] CloseHandle (hObject=0x30c) returned 1 [0082.709] GetFullPathNameW (in: lpFileName="C:\\Logs\\Security.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Security.evtx", lpFilePart=0x0) returned 0x15 [0082.709] GetFullPathNameW (in: lpFileName="C:\\Logs\\Security.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Security.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x45 [0082.709] SetErrorMode (uMode=0x1) returned 0x0 [0082.709] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe75c7894, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1182c0)) returned 1 [0082.710] SetErrorMode (uMode=0x0) returned 0x1 [0082.710] MoveFileW (lpExistingFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), lpNewFileName="C:\\Logs\\Security.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\security.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0082.710] GetFullPathNameW (in: lpFileName="C:\\Logs\\Security.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Security.evtx", lpFilePart=0x0) returned 0x15 [0082.710] DeleteFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx")) returned 0 [0082.710] GetFullPathNameW (in: lpFileName="C:\\Logs\\Setup.evtx", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Setup.evtx", lpFilePart=0x0) returned 0x12 [0082.711] GetFullPathNameW (in: lpFileName="C:\\Logs\\Setup.evtx", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Setup.evtx", lpFilePart=0x0) returned 0x12 [0082.711] SetErrorMode (uMode=0x1) returned 0x0 [0082.711] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0082.711] SetErrorMode (uMode=0x0) returned 0x1 [0082.711] GetFullPathNameW (in: lpFileName="C:\\Logs\\Setup.evtx", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Setup.evtx", lpFilePart=0x0) returned 0x12 [0082.711] SetErrorMode (uMode=0x1) returned 0x0 [0082.711] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0082.711] GetFileType (hFile=0x30c) returned 0x1 [0082.711] SetErrorMode (uMode=0x0) returned 0x1 [0082.711] GetFileType (hFile=0x30c) returned 0x1 [0082.711] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0082.711] ReadFile (in: hFile=0x30c, lpBuffer=0x3017f58, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3017f58*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0082.714] CloseHandle (hObject=0x30c) returned 1 [0082.714] GetFullPathNameW (in: lpFileName="C:\\Logs\\Setup.evtx", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Setup.evtx", lpFilePart=0x0) returned 0x12 [0082.714] SetErrorMode (uMode=0x1) returned 0x0 [0082.714] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0082.714] GetFileType (hFile=0x30c) returned 0x1 [0082.714] SetErrorMode (uMode=0x0) returned 0x1 [0082.714] GetFileType (hFile=0x30c) returned 0x1 [0082.714] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0082.714] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0082.714] SetEndOfFile (hFile=0x30c) returned 1 [0082.717] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0082.717] CloseHandle (hObject=0x30c) returned 1 [0082.734] GetFullPathNameW (in: lpFileName="C:\\Logs\\Setup.evtx", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Setup.evtx", lpFilePart=0x0) returned 0x12 [0082.734] SetErrorMode (uMode=0x1) returned 0x0 [0082.734] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0082.734] GetFileType (hFile=0x30c) returned 0x1 [0082.734] SetErrorMode (uMode=0x0) returned 0x1 [0082.734] GetFileType (hFile=0x30c) returned 0x1 [0082.734] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0082.734] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.735] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.735] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.736] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.736] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.736] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.736] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.737] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.737] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.737] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.737] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.737] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.738] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.738] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.738] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.738] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.739] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.739] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.739] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.852] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.852] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.853] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.853] WriteFile (in: hFile=0x30c, lpBuffer=0x3099f60*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x3099f60*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0082.853] CloseHandle (hObject=0x30c) returned 1 [0082.856] GetFullPathNameW (in: lpFileName="C:\\Logs\\Setup.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Setup.evtx", lpFilePart=0x0) returned 0x12 [0082.856] GetFullPathNameW (in: lpFileName="C:\\Logs\\Setup.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Setup.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x42 [0082.857] SetErrorMode (uMode=0x1) returned 0x0 [0082.857] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe771d212, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0082.857] SetErrorMode (uMode=0x0) returned 0x1 [0082.857] MoveFileW (lpExistingFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), lpNewFileName="C:\\Logs\\Setup.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\setup.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0082.857] GetFullPathNameW (in: lpFileName="C:\\Logs\\Setup.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Setup.evtx", lpFilePart=0x0) returned 0x12 [0082.857] DeleteFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx")) returned 0 [0082.858] GetFullPathNameW (in: lpFileName="C:\\Logs\\System.evtx", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\System.evtx", lpFilePart=0x0) returned 0x13 [0082.858] GetFullPathNameW (in: lpFileName="C:\\Logs\\System.evtx", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\System.evtx", lpFilePart=0x0) returned 0x13 [0082.858] SetErrorMode (uMode=0x1) returned 0x0 [0082.858] GetFileAttributesExW (in: lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000)) returned 1 [0082.859] SetErrorMode (uMode=0x0) returned 0x1 [0082.859] GetFullPathNameW (in: lpFileName="C:\\Logs\\System.evtx", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\System.evtx", lpFilePart=0x0) returned 0x13 [0082.859] SetErrorMode (uMode=0x1) returned 0x0 [0082.859] CreateFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0082.859] GetFileType (hFile=0x30c) returned 0x1 [0082.859] SetErrorMode (uMode=0x0) returned 0x1 [0082.859] GetFileType (hFile=0x30c) returned 0x1 [0082.859] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x101601 [0082.859] ReadFile (in: hFile=0x30c, lpBuffer=0x309bdc0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x309bdc0*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0082.861] CloseHandle (hObject=0x30c) returned 1 [0082.861] GetFullPathNameW (in: lpFileName="C:\\Logs\\System.evtx", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\System.evtx", lpFilePart=0x0) returned 0x13 [0082.861] SetErrorMode (uMode=0x1) returned 0x0 [0082.861] CreateFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0082.862] GetFileType (hFile=0x30c) returned 0x1 [0082.862] SetErrorMode (uMode=0x0) returned 0x1 [0082.862] GetFileType (hFile=0x30c) returned 0x1 [0082.862] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x111000 [0082.862] SetFilePointer (in: hFile=0x30c, lDistanceToMove=1054209, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x101601 [0082.862] SetEndOfFile (hFile=0x30c) returned 1 [0082.864] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0082.864] CloseHandle (hObject=0x30c) returned 1 [0082.883] GetFullPathNameW (in: lpFileName="C:\\Logs\\System.evtx", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\System.evtx", lpFilePart=0x0) returned 0x13 [0082.883] SetErrorMode (uMode=0x1) returned 0x0 [0082.883] CreateFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0082.883] GetFileType (hFile=0x30c) returned 0x1 [0082.883] SetErrorMode (uMode=0x0) returned 0x1 [0082.883] GetFileType (hFile=0x30c) returned 0x1 [0082.884] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x101601 [0082.884] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.885] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.885] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.885] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.885] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.885] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.886] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.886] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.886] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.886] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.887] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.887] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.887] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.887] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.888] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.888] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.888] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.888] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.888] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.889] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.889] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.889] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0082.889] WriteFile (in: hFile=0x30c, lpBuffer=0x311ddc8*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x311ddc8*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0082.890] CloseHandle (hObject=0x30c) returned 1 [0082.944] GetFullPathNameW (in: lpFileName="C:\\Logs\\System.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\System.evtx", lpFilePart=0x0) returned 0x13 [0082.944] GetFullPathNameW (in: lpFileName="C:\\Logs\\System.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\System.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x43 [0082.944] SetErrorMode (uMode=0x1) returned 0x0 [0082.944] GetFileAttributesExW (in: lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe7805013, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1182c0)) returned 1 [0082.944] SetErrorMode (uMode=0x0) returned 0x1 [0082.945] MoveFileW (lpExistingFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), lpNewFileName="C:\\Logs\\System.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\system.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0082.945] GetFullPathNameW (in: lpFileName="C:\\Logs\\System.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\System.evtx", lpFilePart=0x0) returned 0x13 [0082.945] DeleteFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx")) returned 0 [0082.945] GetFullPathNameW (in: lpFileName="C:\\Logs\\Windows PowerShell.evtx", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Windows PowerShell.evtx", lpFilePart=0x0) returned 0x1f [0082.945] GetFullPathNameW (in: lpFileName="C:\\Logs\\Windows PowerShell.evtx", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Windows PowerShell.evtx", lpFilePart=0x0) returned 0x1f [0082.945] SetErrorMode (uMode=0x1) returned 0x0 [0082.946] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000)) returned 1 [0082.946] SetErrorMode (uMode=0x0) returned 0x1 [0082.946] GetFullPathNameW (in: lpFileName="C:\\Logs\\Windows PowerShell.evtx", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Windows PowerShell.evtx", lpFilePart=0x0) returned 0x1f [0082.946] SetErrorMode (uMode=0x1) returned 0x0 [0082.946] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0082.946] GetFileType (hFile=0x30c) returned 0x1 [0082.946] SetErrorMode (uMode=0x0) returned 0x1 [0082.946] GetFileType (hFile=0x30c) returned 0x1 [0082.946] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x1601 [0082.946] ReadFile (in: hFile=0x30c, lpBuffer=0x3121aa0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x3121aa0*, lpNumberOfBytesRead=0xf1e6f8*=0xf9ff, lpOverlapped=0x0) returned 1 [0082.949] CloseHandle (hObject=0x30c) returned 1 [0082.949] GetFullPathNameW (in: lpFileName="C:\\Logs\\Windows PowerShell.evtx", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Windows PowerShell.evtx", lpFilePart=0x0) returned 0x1f [0082.949] SetErrorMode (uMode=0x1) returned 0x0 [0082.949] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0082.949] GetFileType (hFile=0x30c) returned 0x1 [0082.949] SetErrorMode (uMode=0x0) returned 0x1 [0082.949] GetFileType (hFile=0x30c) returned 0x1 [0082.949] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0x11000 [0082.949] SetFilePointer (in: hFile=0x30c, lDistanceToMove=5633, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x1601 [0082.949] SetEndOfFile (hFile=0x30c) returned 1 [0082.952] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0082.952] CloseHandle (hObject=0x30c) returned 1 [0083.001] GetFullPathNameW (in: lpFileName="C:\\Logs\\Windows PowerShell.evtx", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Windows PowerShell.evtx", lpFilePart=0x0) returned 0x1f [0083.001] SetErrorMode (uMode=0x1) returned 0x0 [0083.001] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0083.001] GetFileType (hFile=0x30c) returned 0x1 [0083.001] SetErrorMode (uMode=0x0) returned 0x1 [0083.001] GetFileType (hFile=0x30c) returned 0x1 [0083.001] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x1601 [0083.002] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.003] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.003] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.003] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.003] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.004] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.004] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.004] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.004] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.004] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.005] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.005] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.006] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.006] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.006] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.006] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.007] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.007] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.007] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.007] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.008] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.008] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0x1000, lpOverlapped=0x0) returned 1 [0083.008] WriteFile (in: hFile=0x30c, lpBuffer=0x31a3c00*, nNumberOfBytesToWrite=0xcbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31a3c00*, lpNumberOfBytesWritten=0xf1e698*=0xcbf, lpOverlapped=0x0) returned 1 [0083.008] CloseHandle (hObject=0x30c) returned 1 [0083.011] GetFullPathNameW (in: lpFileName="C:\\Logs\\Windows PowerShell.evtx", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Windows PowerShell.evtx", lpFilePart=0x0) returned 0x1f [0083.011] GetFullPathNameW (in: lpFileName="C:\\Logs\\Windows PowerShell.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Windows PowerShell.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x4f [0083.011] SetErrorMode (uMode=0x1) returned 0x0 [0083.011] GetFileAttributesExW (in: lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe789ad7b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0)) returned 1 [0083.012] SetErrorMode (uMode=0x0) returned 0x1 [0083.012] MoveFileW (lpExistingFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), lpNewFileName="C:\\Logs\\Windows PowerShell.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\logs\\windows powershell.evtx[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.012] GetFullPathNameW (in: lpFileName="C:\\Logs\\Windows PowerShell.evtx", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\Windows PowerShell.evtx", lpFilePart=0x0) returned 0x1f [0083.012] DeleteFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx")) returned 0 [0083.013] GetFullPathNameW (in: lpFileName="C:\\Logs\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x1f [0083.013] SetErrorMode (uMode=0x1) returned 0x0 [0083.013] CreateFileW (lpFileName="C:\\Logs\\#DECRYPT MY FILES#.html" (normalized: "c:\\logs\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0083.013] GetFileType (hFile=0x30c) returned 0x1 [0083.013] SetErrorMode (uMode=0x0) returned 0x1 [0083.013] GetFileType (hFile=0x30c) returned 0x1 [0083.013] WriteFile (in: hFile=0x30c, lpBuffer=0x31a81a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e748, lpOverlapped=0x0 | out: lpBuffer=0x31a81a8*, lpNumberOfBytesWritten=0xf1e748*=0x1000, lpOverlapped=0x0) returned 1 [0083.015] WriteFile (in: hFile=0x30c, lpBuffer=0x31a81a8*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e748, lpOverlapped=0x0 | out: lpBuffer=0x31a81a8*, lpNumberOfBytesWritten=0xf1e748*=0x443, lpOverlapped=0x0) returned 1 [0083.015] CloseHandle (hObject=0x30c) returned 1 [0083.015] GetFullPathNameW (in: lpFileName="C:\\Logs", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Logs", lpFilePart=0x0) returned 0x7 [0083.015] SetErrorMode (uMode=0x1) returned 0x0 [0083.015] FindFirstFileW (in: lpFileName="C:\\Logs\\*", lpFindFileData=0xf1e570 | out: lpFindFileData=0xf1e570*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xe789ad7b, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe789ad7b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b31d0 [0083.016] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xe789ad7b, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe789ad7b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe789ad7b, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xe789ad7b, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe789ad7b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1c75d41, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Application.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="APPLIC~1.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1d5ab4f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HardwareEvents.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="HARDWA~1.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1f24791, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="INTERN~1.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1f4a9e4, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Key Management Service.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="KEYMAN~1.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1fbd248, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MICROS~1.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe1fe332e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MICROS~2.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2055a92, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MICROS~3.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe20ee47b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MICROS~4.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe21acf86, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIEA42~1.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe21f94ed, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI63E7~1.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe23042dd, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIE4E7~1.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe23e9370, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIE0EC~1.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2481c63, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI34F1~1.PRT")) returned 1 [0083.017] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe25415b3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI387A~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe26fabe2, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI6971~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2747101, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x2182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIBCE0~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe285221e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI097C~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe28eab70, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIA505~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe29cf673, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI513F~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2a1fd01, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MICFE3~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2b77645, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIA8D8~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2b9e139, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIA916~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2c5c366, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI8893~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2c824f1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI416C~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2d412dd, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI0DDD~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2d8d81e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIF7F2~1.PRT")) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2dd9b52, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIDA80~1.PRT")) returned 1 [0083.019] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe2e7239e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIE7F0~1.PRT")) returned 1 [0083.019] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe3147256, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI78AE~1.PRT")) returned 1 [0083.019] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe32c4766, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MID621~1.PRT")) returned 1 [0083.019] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xe34421d1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI4F04~1.PRT")) returned 1 [0083.019] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe35e5b00, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI8D1E~1.PRT")) returned 1 [0083.019] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe37af73c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI8A78~1.PRT")) returned 1 [0083.019] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe3df1a5d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI9CE4~1.PRT")) returned 1 [0083.019] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe3e6418b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-International%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI4775~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe3f6f192, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIC7FB~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe434ee91, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI0812~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe45b14ed, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIB65E~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe45d76aa, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIF3F6~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe472eaa3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIE704~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4754bcd, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI87D3~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe491eafa, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIF5D0~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe496acb9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MID73B~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4a9c205, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Known Folders API Service.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI46A7~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4ae8728, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-LiveId%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI75B3~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4b34bcf, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIF4BC~1.PRT")) returned 1 [0083.020] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4bcd52c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI3EB3~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4c199c3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-NCSI%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI2EC8~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4c65ee4, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MICB9E~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4e0959e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MICC65~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4e55d85, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIADB1~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe4f3ab97, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI3533~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe506bab7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI1C8F~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe50b8273, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI4DA6~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe51c6440, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI95BF~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe52ce110, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI2A55~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe531a830, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI13BF~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe53d93d1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI7690~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe54e41dd, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIA569~1.PRT")) returned 1 [0083.038] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe55a2fe1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI8F7C~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe5792e91, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Security.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIBD29~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe58c41f9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI2F54~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe59ece1d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIB73E~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe5ae5a84, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI748D~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe5b31ee5, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Security.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI865C~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe5e06b65, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Store%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI9540~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe608f3be, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI8B4F~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe60db818, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI2971~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6127d6f, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI9358~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe63d6676, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI546B~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe64229fa, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIDB5F~1.PRT")) returned 1 [0083.039] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe65a019e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI472A~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe66d1478, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI76E0~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6802927, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI758A~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6959b68, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI2D03~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe69a633e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI1AE6~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6ab11c2, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI41C0~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6c08893, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI4806~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6d13918, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI01F4~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe6d5fb20, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI0664~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe71d8167, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MIF684~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe722493c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI8236~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe72bd22b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MI2FF5~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe73a1e3d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1082c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MID0E7~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe75c7894, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="SECURI~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe771d212, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="SETUPE~1.PRT")) returned 1 [0083.040] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe7805013, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="SYSTEM~1.PRT")) returned 1 [0083.041] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe789ad7b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows PowerShell.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="WINDOW~1.PRT")) returned 1 [0083.041] FindNextFileW (in: hFindFile=0x10b31d0, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xe789ad7b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x182c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows PowerShell.evtx[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="WINDOW~1.PRT")) returned 0 [0083.041] FindClose (in: hFindFile=0x10b31d0 | out: hFindFile=0x10b31d0) returned 1 [0083.041] SetErrorMode (uMode=0x0) returned 0x1 [0083.041] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0083.042] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0083.042] CoTaskMemFree (pv=0x10bc9c0) [0083.042] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0083.042] CoCreateGuid (in: pguid=0xf1e810 | out: pguid=0xf1e810*(Data1=0x2881e071, Data2=0x7d2e, Data3=0x4af5, Data4=([0]=0xac, [1]=0x85, [2]=0x88, [3]=0x18, [4]=0xa9, [5]=0x15, [6]=0xba, [7]=0x81))) returned 0x0 [0083.043] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0083.043] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0083.043] CoTaskMemFree (pv=0x10bc9c0) [0083.043] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0083.043] GetFullPathNameW (in: lpFileName="C:\\PerfLogs", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs", lpFilePart=0x0) returned 0xb [0083.043] SetErrorMode (uMode=0x1) returned 0x0 [0083.043] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*", lpFindFileData=0xf1e5a0 | out: lpFindFileData=0xf1e5a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0083.056] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.056] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0083.056] FindClose (in: hFindFile=0x10b3770 | out: hFindFile=0x10b3770) returned 1 [0083.056] SetErrorMode (uMode=0x0) returned 0x1 [0083.056] GetFullPathNameW (in: lpFileName="C:\\PerfLogs\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x23 [0083.057] SetErrorMode (uMode=0x1) returned 0x0 [0083.057] CreateFileW (lpFileName="C:\\PerfLogs\\#DECRYPT MY FILES#.html" (normalized: "c:\\perflogs\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0083.058] GetFileType (hFile=0x30c) returned 0x1 [0083.058] SetErrorMode (uMode=0x0) returned 0x1 [0083.059] GetFileType (hFile=0x30c) returned 0x1 [0083.059] WriteFile (in: hFile=0x30c, lpBuffer=0x31b3260*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e748, lpOverlapped=0x0 | out: lpBuffer=0x31b3260*, lpNumberOfBytesWritten=0xf1e748*=0x1000, lpOverlapped=0x0) returned 1 [0083.060] WriteFile (in: hFile=0x30c, lpBuffer=0x31b3260*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e748, lpOverlapped=0x0 | out: lpBuffer=0x31b3260*, lpNumberOfBytesWritten=0xf1e748*=0x443, lpOverlapped=0x0) returned 1 [0083.060] CloseHandle (hObject=0x30c) returned 1 [0083.060] GetFullPathNameW (in: lpFileName="C:\\PerfLogs", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs", lpFilePart=0x0) returned 0xb [0083.060] SetErrorMode (uMode=0x1) returned 0x0 [0083.060] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0xf1e570 | out: lpFindFileData=0xf1e570*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe790d116, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0083.061] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe790d116, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.061] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe790d116, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xe790d116, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe790d116, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0083.061] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe790d116, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xe790d116, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe790d116, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 0 [0083.061] FindClose (in: hFindFile=0x10b3770 | out: hFindFile=0x10b3770) returned 1 [0083.061] SetErrorMode (uMode=0x0) returned 0x1 [0083.061] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0083.061] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0083.061] CoTaskMemFree (pv=0x10bd8a0) [0083.061] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0083.061] CoCreateGuid (in: pguid=0xf1e810 | out: pguid=0xf1e810*(Data1=0xd7d3d5ff, Data2=0x12c4, Data3=0x446f, Data4=([0]=0xae, [1]=0xd7, [2]=0x38, [3]=0x6c, [4]=0xb, [5]=0xc5, [6]=0xc3, [7]=0xc5))) returned 0x0 [0083.062] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0083.062] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0083.062] CoTaskMemFree (pv=0x10bd680) [0083.062] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0083.062] GetFullPathNameW (in: lpFileName="C:\\Program Files", nBufferLength=0x105, lpBuffer=0xf1e400, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files", lpFilePart=0x0) returned 0x10 [0083.062] SetErrorMode (uMode=0x1) returned 0x0 [0083.062] FindFirstFileW (in: lpFileName="C:\\Program Files\\*.*", lpFindFileData=0xf1e5a0 | out: lpFindFileData=0xf1e5a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd5704f2d, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd5704f2d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0083.062] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd5704f2d, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd5704f2d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.062] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7adf6a5, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7adf6a5, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0083.062] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a307d95, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5d0779b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5d0779b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5704f2d, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xd5704f2d, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd5704f2d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DP", cAlternateFileName="")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf9efde18, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf9efde18, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf7b2b948, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b2b948, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7a9790b, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7a9790b, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~2")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82e68d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7adf6a5, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7adf6a5, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 15", cAlternateFileName="MICROS~1")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xe99e772e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xf7b77cfd, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b77cfd, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mozilla Firefox", cAlternateFileName="MOZILL~1")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709c717f, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0xf9f23304, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf9f23304, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709ed3a7, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0xf7bc420e, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7bc420e, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x59f2f4b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf7b77cfd, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b77cfd, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rempl", cAlternateFileName="")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd2709a20, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xf7c1e585, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7c1e585, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4c509d45, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf7c1e585, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7c1e585, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UNP", cAlternateFileName="")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf5fb44d3, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf5fb44d3, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa8fde0ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8231541, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender Advanced Threat Protection", cAlternateFileName="WIF4A9~1")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7b0582e, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b0582e, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~2")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa6e4faee, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xf7c0ad26, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7c0ad26, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WI54FB~1")) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7b0582e, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b0582e, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Multimedia Platform", cAlternateFileName="WINDOW~3")) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa91c8710, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bb043c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~4")) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7b77cfd, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b77cfd, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WI8A19~1")) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7c1e585, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7c1e585, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa92acc65, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bb043c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Security", cAlternateFileName="WIDB62~1")) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf9f23304, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf9f23304, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8da88b6d, ftLastAccessTime.dwHighDateTime=0x1d3274e, ftLastWriteTime.dwLowDateTime=0x8da88b6d, ftLastWriteTime.dwHighDateTime=0x1d3274e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsApps", cAlternateFileName="WI7DB9~1")) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb502b1c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e5b0 | out: lpFindFileData=0xf1e5b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb502b1c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 0 [0083.064] FindClose (in: hFindFile=0x10b3a10 | out: hFindFile=0x10b3a10) returned 1 [0083.064] SetErrorMode (uMode=0x0) returned 0x1 [0083.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\desktop.ini", lpFilePart=0x0) returned 0x1c [0083.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e380, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\desktop.ini", lpFilePart=0x0) returned 0x1c [0083.064] SetErrorMode (uMode=0x1) returned 0x0 [0083.064] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0xf1e750 | out: lpFileInformation=0xf1e750*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a307d95, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5d0779b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5d0779b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae)) returned 1 [0083.065] SetErrorMode (uMode=0x0) returned 0x1 [0083.065] GetFullPathNameW (in: lpFileName="C:\\Program Files\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\desktop.ini", lpFilePart=0x0) returned 0x1c [0083.065] SetErrorMode (uMode=0x1) returned 0x0 [0083.065] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0083.065] GetFileType (hFile=0x30c) returned 0x1 [0083.065] SetErrorMode (uMode=0x0) returned 0x1 [0083.065] GetFileType (hFile=0x30c) returned 0x1 [0083.065] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-117, lpDistanceToMoveHigh=0xf1e860*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e860*=0) returned 0x39 [0083.065] ReadFile (in: hFile=0x30c, lpBuffer=0x31b8250, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xf1e6f8, lpOverlapped=0x0 | out: lpBuffer=0x31b8250*, lpNumberOfBytesRead=0xf1e6f8*=0x75, lpOverlapped=0x0) returned 1 [0083.067] CloseHandle (hObject=0x30c) returned 1 [0083.067] GetFullPathNameW (in: lpFileName="C:\\Program Files\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\desktop.ini", lpFilePart=0x0) returned 0x1c [0083.067] SetErrorMode (uMode=0x1) returned 0x0 [0083.067] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0083.067] GetFileType (hFile=0x30c) returned 0x1 [0083.067] SetErrorMode (uMode=0x0) returned 0x1 [0083.067] GetFileType (hFile=0x30c) returned 0x1 [0083.067] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e818 | out: lpFileSizeHigh=0xf1e818*=0x0) returned 0xae [0083.067] SetFilePointer (in: hFile=0x30c, lDistanceToMove=57, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x39 [0083.067] SetEndOfFile (hFile=0x30c) returned 1 [0083.072] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e870*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e870*=0) returned 0x0 [0083.072] CloseHandle (hObject=0x30c) returned 1 [0083.072] GetFullPathNameW (in: lpFileName="C:\\Program Files\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e130, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\desktop.ini", lpFilePart=0x0) returned 0x1c [0083.072] SetErrorMode (uMode=0x1) returned 0x0 [0083.073] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0083.073] GetFileType (hFile=0x30c) returned 0x1 [0083.073] SetErrorMode (uMode=0x0) returned 0x1 [0083.073] GetFileType (hFile=0x30c) returned 0x1 [0083.073] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e5a0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e5a0*=0) returned 0x39 [0083.073] WriteFile (in: hFile=0x30c, lpBuffer=0x31bab98*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0xf1e698, lpOverlapped=0x0 | out: lpBuffer=0x31bab98*, lpNumberOfBytesWritten=0xf1e698*=0xbf, lpOverlapped=0x0) returned 1 [0083.074] CloseHandle (hObject=0x30c) returned 1 [0083.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\desktop.ini", lpFilePart=0x0) returned 0x1c [0083.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e480, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x4c [0083.075] SetErrorMode (uMode=0x1) returned 0x0 [0083.075] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0xf1e6d0 | out: lpFileInformation=0xf1e6d0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a307d95, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5d0779b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xe7933629, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xf8)) returned 1 [0083.075] SetErrorMode (uMode=0x0) returned 0x1 [0083.075] MoveFileW (lpExistingFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), lpNewFileName="C:\\Program Files\\desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\desktop.ini[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\desktop.ini", nBufferLength=0x105, lpBuffer=0xf1e490, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\desktop.ini", lpFilePart=0x0) returned 0x1c [0083.076] DeleteFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 0 [0083.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x28 [0083.076] SetErrorMode (uMode=0x1) returned 0x0 [0083.076] CreateFileW (lpFileName="C:\\Program Files\\#DECRYPT MY FILES#.html" (normalized: "c:\\program files\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0083.102] GetFileType (hFile=0x30c) returned 0x1 [0083.102] SetErrorMode (uMode=0x0) returned 0x1 [0083.102] GetFileType (hFile=0x30c) returned 0x1 [0083.102] WriteFile (in: hFile=0x30c, lpBuffer=0x31bddc0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e748, lpOverlapped=0x0 | out: lpBuffer=0x31bddc0*, lpNumberOfBytesWritten=0xf1e748*=0x1000, lpOverlapped=0x0) returned 1 [0083.103] WriteFile (in: hFile=0x30c, lpBuffer=0x31bddc0*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e748, lpOverlapped=0x0 | out: lpBuffer=0x31bddc0*, lpNumberOfBytesWritten=0xf1e748*=0x443, lpOverlapped=0x0) returned 1 [0083.103] CloseHandle (hObject=0x30c) returned 1 [0083.103] GetFullPathNameW (in: lpFileName="C:\\Program Files", nBufferLength=0x105, lpBuffer=0xf1e3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files", lpFilePart=0x0) returned 0x10 [0083.104] SetErrorMode (uMode=0x1) returned 0x0 [0083.104] FindFirstFileW (in: lpFileName="C:\\Program Files\\*", lpFindFileData=0xf1e570 | out: lpFindFileData=0xf1e570*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7933629, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe797f817, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7933629, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe797f817, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe797f817, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xe797f817, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe797f817, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7adf6a5, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7adf6a5, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a307d95, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5d0779b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xe7933629, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5704f2d, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xd5704f2d, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xd5704f2d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DP", cAlternateFileName="")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf9efde18, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf9efde18, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf7b2b948, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b2b948, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7a9790b, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7a9790b, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~2")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82e68d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7adf6a5, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7adf6a5, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 15", cAlternateFileName="MICROS~1")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xe99e772e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xf7b77cfd, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b77cfd, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mozilla Firefox", cAlternateFileName="MOZILL~1")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709c717f, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0xf9f23304, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf9f23304, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709ed3a7, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0xf7bc420e, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7bc420e, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x59f2f4b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf7b77cfd, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b77cfd, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rempl", cAlternateFileName="")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd2709a20, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xf7c1e585, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7c1e585, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4c509d45, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf7c1e585, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7c1e585, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UNP", cAlternateFileName="")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf5fb44d3, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf5fb44d3, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa8fde0ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8231541, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender Advanced Threat Protection", cAlternateFileName="WIF4A9~1")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7b0582e, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b0582e, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~2")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa6e4faee, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xf7c0ad26, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7c0ad26, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WI54FB~1")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7b0582e, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b0582e, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Multimedia Platform", cAlternateFileName="WINDOW~3")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa91c8710, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bb043c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~4")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7b77cfd, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7b77cfd, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WI8A19~1")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7c1e585, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7c1e585, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa92acc65, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bb043c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Security", cAlternateFileName="WIDB62~1")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf9f23304, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf9f23304, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8da88b6d, ftLastAccessTime.dwHighDateTime=0x1d3274e, ftLastWriteTime.dwLowDateTime=0x8da88b6d, ftLastWriteTime.dwHighDateTime=0x1d3274e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsApps", cAlternateFileName="WI7DB9~1")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb502b1c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 1 [0083.105] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e580 | out: lpFindFileData=0xf1e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb502b1c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 0 [0083.105] FindClose (in: hFindFile=0x10b3a10 | out: hFindFile=0x10b3a10) returned 1 [0083.106] SetErrorMode (uMode=0x0) returned 0x1 [0083.106] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0083.106] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0083.106] CoTaskMemFree (pv=0x10bd680) [0083.106] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e460, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0083.106] CoCreateGuid (in: pguid=0xf1e750 | out: pguid=0xf1e750*(Data1=0x63b5f85e, Data2=0xa806, Data3=0x4b88, Data4=([0]=0x96, [1]=0xbc, [2]=0xb2, [3]=0x2c, [4]=0xf1, [5]=0xea, [6]=0x93, [7]=0xd5))) returned 0x0 [0083.106] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0083.106] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0083.106] CoTaskMemFree (pv=0x10bd680) [0083.106] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0083.106] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files", nBufferLength=0x105, lpBuffer=0xf1e340, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files", lpFilePart=0x0) returned 0x1d [0083.106] SetErrorMode (uMode=0x1) returned 0x0 [0083.106] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*.*", lpFindFileData=0xf1e4e0 | out: lpFindFileData=0xf1e4e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7adf6a5, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7adf6a5, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b33b0 [0083.107] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7adf6a5, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xf7adf6a5, ftLastWriteTime.dwHighDateTime=0x1d5c65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.107] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x832847f0, ftCreationTime.dwHighDateTime=0x1d55289, ftLastAccessTime.dwLowDateTime=0xaad17670, ftLastAccessTime.dwHighDateTime=0x1d592ce, ftLastWriteTime.dwLowDateTime=0xaad17670, ftLastWriteTime.dwHighDateTime=0x1d592ce, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="alftp.exe", cAlternateFileName="")) returned 1 [0083.107] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0083.107] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8982d9e0, ftCreationTime.dwHighDateTime=0x1d5b0de, ftLastAccessTime.dwLowDateTime=0xbbc2e860, ftLastAccessTime.dwHighDateTime=0x1d55499, ftLastWriteTime.dwLowDateTime=0xbbc2e860, ftLastWriteTime.dwHighDateTime=0x1d55499, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="icq.exe", cAlternateFileName="")) returned 1 [0083.107] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14e63250, ftCreationTime.dwHighDateTime=0x1d54c9b, ftLastAccessTime.dwLowDateTime=0xfb19c090, ftLastAccessTime.dwHighDateTime=0x1d57575, ftLastWriteTime.dwLowDateTime=0xfb19c090, ftLastWriteTime.dwHighDateTime=0x1d57575, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="invision_sensitivity.exe", cAlternateFileName="INVISI~1.EXE")) returned 1 [0083.107] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0083.107] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0083.107] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0083.107] FindNextFileW (in: hFindFile=0x10b33b0, lpFindFileData=0xf1e4f0 | out: lpFindFileData=0xf1e4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0083.107] FindClose (in: hFindFile=0x10b33b0 | out: hFindFile=0x10b33b0) returned 1 [0083.107] SetErrorMode (uMode=0x0) returned 0x1 [0083.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\alftp.exe", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\alftp.exe", lpFilePart=0x0) returned 0x27 [0083.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\alftp.exe", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\alftp.exe", lpFilePart=0x0) returned 0x27 [0083.108] SetErrorMode (uMode=0x1) returned 0x0 [0083.108] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\alftp.exe" (normalized: "c:\\program files\\common files\\alftp.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x832847f0, ftCreationTime.dwHighDateTime=0x1d55289, ftLastAccessTime.dwLowDateTime=0xaad17670, ftLastAccessTime.dwHighDateTime=0x1d592ce, ftLastWriteTime.dwLowDateTime=0xaad17670, ftLastWriteTime.dwHighDateTime=0x1d592ce, nFileSizeHigh=0x0, nFileSizeLow=0x13200)) returned 1 [0083.108] SetErrorMode (uMode=0x0) returned 0x1 [0083.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\alftp.exe", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\alftp.exe", lpFilePart=0x0) returned 0x27 [0083.108] SetErrorMode (uMode=0x1) returned 0x0 [0083.108] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\alftp.exe" (normalized: "c:\\program files\\common files\\alftp.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0083.108] GetFileType (hFile=0x30c) returned 0x1 [0083.108] SetErrorMode (uMode=0x0) returned 0x1 [0083.108] GetFileType (hFile=0x30c) returned 0x1 [0083.108] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3801 [0083.109] ReadFile (in: hFile=0x30c, lpBuffer=0x31c42d0, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x31c42d0*, lpNumberOfBytesRead=0xf1e638*=0xf9ff, lpOverlapped=0x0) returned 1 [0083.110] CloseHandle (hObject=0x30c) returned 1 [0083.110] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\alftp.exe", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\alftp.exe", lpFilePart=0x0) returned 0x27 [0083.110] SetErrorMode (uMode=0x1) returned 0x0 [0083.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\alftp.exe" (normalized: "c:\\program files\\common files\\alftp.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0083.114] SetErrorMode (uMode=0x0) returned 0x1 [0083.115] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\icq.exe", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\icq.exe", lpFilePart=0x0) returned 0x25 [0083.115] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\icq.exe", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\icq.exe", lpFilePart=0x0) returned 0x25 [0083.115] SetErrorMode (uMode=0x1) returned 0x0 [0083.115] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\icq.exe" (normalized: "c:\\program files\\common files\\icq.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8982d9e0, ftCreationTime.dwHighDateTime=0x1d5b0de, ftLastAccessTime.dwLowDateTime=0xbbc2e860, ftLastAccessTime.dwHighDateTime=0x1d55499, ftLastWriteTime.dwLowDateTime=0xbbc2e860, ftLastWriteTime.dwHighDateTime=0x1d55499, nFileSizeHigh=0x0, nFileSizeLow=0x13200)) returned 1 [0083.115] SetErrorMode (uMode=0x0) returned 0x1 [0083.115] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\icq.exe", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\icq.exe", lpFilePart=0x0) returned 0x25 [0083.115] SetErrorMode (uMode=0x1) returned 0x0 [0083.115] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\icq.exe" (normalized: "c:\\program files\\common files\\icq.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0083.115] GetFileType (hFile=0x30c) returned 0x1 [0083.116] SetErrorMode (uMode=0x0) returned 0x1 [0083.116] GetFileType (hFile=0x30c) returned 0x1 [0083.116] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3801 [0083.116] ReadFile (in: hFile=0x30c, lpBuffer=0x31d52a8, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x31d52a8*, lpNumberOfBytesRead=0xf1e638*=0xf9ff, lpOverlapped=0x0) returned 1 [0083.117] CloseHandle (hObject=0x30c) returned 1 [0083.117] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\icq.exe", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\icq.exe", lpFilePart=0x0) returned 0x25 [0083.117] SetErrorMode (uMode=0x1) returned 0x0 [0083.117] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\icq.exe" (normalized: "c:\\program files\\common files\\icq.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0083.118] SetErrorMode (uMode=0x0) returned 0x1 [0083.119] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\invision_sensitivity.exe", nBufferLength=0x105, lpBuffer=0xf1e410, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\invision_sensitivity.exe", lpFilePart=0x0) returned 0x36 [0083.119] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\invision_sensitivity.exe", nBufferLength=0x105, lpBuffer=0xf1e2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\invision_sensitivity.exe", lpFilePart=0x0) returned 0x36 [0083.119] SetErrorMode (uMode=0x1) returned 0x0 [0083.119] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\invision_sensitivity.exe" (normalized: "c:\\program files\\common files\\invision_sensitivity.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e690 | out: lpFileInformation=0xf1e690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14e63250, ftCreationTime.dwHighDateTime=0x1d54c9b, ftLastAccessTime.dwLowDateTime=0xfb19c090, ftLastAccessTime.dwHighDateTime=0x1d57575, ftLastWriteTime.dwLowDateTime=0xfb19c090, ftLastWriteTime.dwHighDateTime=0x1d57575, nFileSizeHigh=0x0, nFileSizeLow=0x13200)) returned 1 [0083.119] SetErrorMode (uMode=0x0) returned 0x1 [0083.119] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\invision_sensitivity.exe", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\invision_sensitivity.exe", lpFilePart=0x0) returned 0x36 [0083.120] SetErrorMode (uMode=0x1) returned 0x0 [0083.120] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\invision_sensitivity.exe" (normalized: "c:\\program files\\common files\\invision_sensitivity.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0083.120] GetFileType (hFile=0x30c) returned 0x1 [0083.120] SetErrorMode (uMode=0x0) returned 0x1 [0083.120] GetFileType (hFile=0x30c) returned 0x1 [0083.120] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e7a0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e7a0*=0) returned 0x3801 [0083.120] ReadFile (in: hFile=0x30c, lpBuffer=0x31e62d8, nNumberOfBytesToRead=0xf9ff, lpNumberOfBytesRead=0xf1e638, lpOverlapped=0x0 | out: lpBuffer=0x31e62d8*, lpNumberOfBytesRead=0xf1e638*=0xf9ff, lpOverlapped=0x0) returned 1 [0083.121] CloseHandle (hObject=0x30c) returned 1 [0083.121] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\invision_sensitivity.exe", nBufferLength=0x105, lpBuffer=0xf1e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\invision_sensitivity.exe", lpFilePart=0x0) returned 0x36 [0083.121] SetErrorMode (uMode=0x1) returned 0x0 [0083.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\invision_sensitivity.exe" (normalized: "c:\\program files\\common files\\invision_sensitivity.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0083.123] SetErrorMode (uMode=0x0) returned 0x1 [0083.123] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e120, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x35 [0083.123] SetErrorMode (uMode=0x1) returned 0x0 [0083.123] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\#DECRYPT MY FILES#.html" (normalized: "c:\\program files\\common files\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0083.124] GetFileType (hFile=0x30c) returned 0x1 [0083.124] SetErrorMode (uMode=0x0) returned 0x1 [0083.124] GetFileType (hFile=0x30c) returned 0x1 [0083.124] WriteFile (in: hFile=0x30c, lpBuffer=0x31f8698*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e688, lpOverlapped=0x0 | out: lpBuffer=0x31f8698*, lpNumberOfBytesWritten=0xf1e688*=0x1000, lpOverlapped=0x0) returned 1 [0083.125] WriteFile (in: hFile=0x30c, lpBuffer=0x31f8698*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e688, lpOverlapped=0x0 | out: lpBuffer=0x31f8698*, lpNumberOfBytesWritten=0xf1e688*=0x443, lpOverlapped=0x0) returned 1 [0083.125] CloseHandle (hObject=0x30c) returned 1 [0083.126] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files", nBufferLength=0x105, lpBuffer=0xf1e310, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files", lpFilePart=0x0) returned 0x1d [0083.126] SetErrorMode (uMode=0x1) returned 0x0 [0083.126] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*", lpFindFileData=0xf1e4b0 | out: lpFindFileData=0xf1e4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7adf6a5, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xe79a5e84, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b2ed0 [0083.126] FindNextFileW (in: hFindFile=0x10b2ed0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7adf6a5, ftLastAccessTime.dwHighDateTime=0x1d5c65a, ftLastWriteTime.dwLowDateTime=0xe79a5e84, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.126] FindNextFileW (in: hFindFile=0x10b2ed0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe79a5e84, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xe79a5e84, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe79a5e84, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0083.126] FindNextFileW (in: hFindFile=0x10b2ed0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x832847f0, ftCreationTime.dwHighDateTime=0x1d55289, ftLastAccessTime.dwLowDateTime=0xaad17670, ftLastAccessTime.dwHighDateTime=0x1d592ce, ftLastWriteTime.dwLowDateTime=0xaad17670, ftLastWriteTime.dwHighDateTime=0x1d592ce, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="alftp.exe", cAlternateFileName="")) returned 1 [0083.126] FindNextFileW (in: hFindFile=0x10b2ed0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0083.126] FindNextFileW (in: hFindFile=0x10b2ed0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8982d9e0, ftCreationTime.dwHighDateTime=0x1d5b0de, ftLastAccessTime.dwLowDateTime=0xbbc2e860, ftLastAccessTime.dwHighDateTime=0x1d55499, ftLastWriteTime.dwLowDateTime=0xbbc2e860, ftLastWriteTime.dwHighDateTime=0x1d55499, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="icq.exe", cAlternateFileName="")) returned 1 [0083.126] FindNextFileW (in: hFindFile=0x10b2ed0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14e63250, ftCreationTime.dwHighDateTime=0x1d54c9b, ftLastAccessTime.dwLowDateTime=0xfb19c090, ftLastAccessTime.dwHighDateTime=0x1d57575, ftLastWriteTime.dwLowDateTime=0xfb19c090, ftLastWriteTime.dwHighDateTime=0x1d57575, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="invision_sensitivity.exe", cAlternateFileName="INVISI~1.EXE")) returned 1 [0083.126] FindNextFileW (in: hFindFile=0x10b2ed0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0083.126] FindNextFileW (in: hFindFile=0x10b2ed0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0083.126] FindNextFileW (in: hFindFile=0x10b2ed0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0083.126] FindNextFileW (in: hFindFile=0x10b2ed0, lpFindFileData=0xf1e4c0 | out: lpFindFileData=0xf1e4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0083.127] FindClose (in: hFindFile=0x10b2ed0 | out: hFindFile=0x10b2ed0) returned 1 [0083.127] SetErrorMode (uMode=0x0) returned 0x1 [0083.127] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0083.127] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0083.127] CoTaskMemFree (pv=0x10bc9c0) [0083.127] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0083.127] CoCreateGuid (in: pguid=0xf1e690 | out: pguid=0xf1e690*(Data1=0x7b320ed, Data2=0xb069, Data3=0x4397, Data4=([0]=0xb9, [1]=0xae, [2]=0xb6, [3]=0x18, [4]=0x71, [5]=0x60, [6]=0xd, [7]=0x14))) returned 0x0 [0083.127] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0083.127] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0083.127] CoTaskMemFree (pv=0x10bc9c0) [0083.127] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0083.127] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER", lpFilePart=0x0) returned 0x26 [0083.127] SetErrorMode (uMode=0x1) returned 0x0 [0083.127] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*.*", lpFindFileData=0xf1e420 | out: lpFindFileData=0xf1e420*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0083.128] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.128] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5c8c3a00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 1 [0083.128] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5c8c3a00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 0 [0083.128] FindClose (in: hFindFile=0x10b3a10 | out: hFindFile=0x10b3a10) returned 1 [0083.128] SetErrorMode (uMode=0x0) returned 0x1 [0083.128] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", nBufferLength=0x105, lpBuffer=0xf1e350, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", lpFilePart=0x0) returned 0x33 [0083.128] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", nBufferLength=0x105, lpBuffer=0xf1e200, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", lpFilePart=0x0) returned 0x33 [0083.128] SetErrorMode (uMode=0x1) returned 0x0 [0083.129] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), fInfoLevelId=0x0, lpFileInformation=0xf1e5d0 | out: lpFileInformation=0xf1e5d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5c8c3a00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3e70)) returned 1 [0083.129] SetErrorMode (uMode=0x0) returned 0x1 [0083.129] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", nBufferLength=0x105, lpBuffer=0xf1e030, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", lpFilePart=0x0) returned 0x33 [0083.129] SetErrorMode (uMode=0x1) returned 0x0 [0083.130] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0083.130] GetFileType (hFile=0x30c) returned 0x1 [0083.130] SetErrorMode (uMode=0x0) returned 0x1 [0083.130] GetFileType (hFile=0x30c) returned 0x1 [0083.130] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-15912, lpDistanceToMoveHigh=0xf1e6e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e6e0*=0) returned 0x48 [0083.130] ReadFile (in: hFile=0x30c, lpBuffer=0x31fd3d0, nNumberOfBytesToRead=0x3e28, lpNumberOfBytesRead=0xf1e578, lpOverlapped=0x0 | out: lpBuffer=0x31fd3d0*, lpNumberOfBytesRead=0xf1e578*=0x3e28, lpOverlapped=0x0) returned 1 [0083.132] CloseHandle (hObject=0x30c) returned 1 [0083.132] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", nBufferLength=0x105, lpBuffer=0xf1e030, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", lpFilePart=0x0) returned 0x33 [0083.132] SetErrorMode (uMode=0x1) returned 0x0 [0083.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0083.132] GetFileType (hFile=0x30c) returned 0x1 [0083.132] SetErrorMode (uMode=0x0) returned 0x1 [0083.132] GetFileType (hFile=0x30c) returned 0x1 [0083.132] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e698 | out: lpFileSizeHigh=0xf1e698*=0x0) returned 0x3e70 [0083.132] SetFilePointer (in: hFile=0x30c, lDistanceToMove=72, lpDistanceToMoveHigh=0xf1e6f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e6f0*=0) returned 0x48 [0083.132] SetEndOfFile (hFile=0x30c) returned 1 [0083.135] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e6f0*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0xf1e6f0*=0) returned 0x0 [0083.135] CloseHandle (hObject=0x30c) returned 1 [0083.138] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", nBufferLength=0x105, lpBuffer=0xf1dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", lpFilePart=0x0) returned 0x33 [0083.138] SetErrorMode (uMode=0x1) returned 0x0 [0083.138] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0083.138] GetFileType (hFile=0x30c) returned 0x1 [0083.138] SetErrorMode (uMode=0x0) returned 0x1 [0083.138] GetFileType (hFile=0x30c) returned 0x1 [0083.138] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e420*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e420*=0) returned 0x48 [0083.138] WriteFile (in: hFile=0x30c, lpBuffer=0x323d6d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e518, lpOverlapped=0x0 | out: lpBuffer=0x323d6d0*, lpNumberOfBytesWritten=0xf1e518*=0x1000, lpOverlapped=0x0) returned 1 [0083.139] WriteFile (in: hFile=0x30c, lpBuffer=0x323d6d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e518, lpOverlapped=0x0 | out: lpBuffer=0x323d6d0*, lpNumberOfBytesWritten=0xf1e518*=0x1000, lpOverlapped=0x0) returned 1 [0083.139] WriteFile (in: hFile=0x30c, lpBuffer=0x323d6d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e518, lpOverlapped=0x0 | out: lpBuffer=0x323d6d0*, lpNumberOfBytesWritten=0xf1e518*=0x1000, lpOverlapped=0x0) returned 1 [0083.140] WriteFile (in: hFile=0x30c, lpBuffer=0x323d6d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e518, lpOverlapped=0x0 | out: lpBuffer=0x323d6d0*, lpNumberOfBytesWritten=0xf1e518*=0x1000, lpOverlapped=0x0) returned 1 [0083.140] WriteFile (in: hFile=0x30c, lpBuffer=0x323d6d0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e518, lpOverlapped=0x0 | out: lpBuffer=0x323d6d0*, lpNumberOfBytesWritten=0xf1e518*=0x1000, lpOverlapped=0x0) returned 1 [0083.140] WriteFile (in: hFile=0x30c, lpBuffer=0x323d6d0*, nNumberOfBytesToWrite=0xabf, lpNumberOfBytesWritten=0xf1e518, lpOverlapped=0x0 | out: lpBuffer=0x323d6d0*, lpNumberOfBytesWritten=0xf1e518*=0xabf, lpOverlapped=0x0) returned 1 [0083.140] CloseHandle (hObject=0x30c) returned 1 [0083.141] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", lpFilePart=0x0) returned 0x33 [0083.141] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", nBufferLength=0x105, lpBuffer=0xf1e300, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", lpFilePart=0x0) returned 0x63 [0083.142] SetErrorMode (uMode=0x1) returned 0x0 [0083.142] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), fInfoLevelId=0x0, lpFileInformation=0xf1e550 | out: lpFileInformation=0xf1e550*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xe79cbd5b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x5b07)) returned 1 [0083.142] SetErrorMode (uMode=0x0) returned 0x1 [0083.142] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), lpNewFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.306] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", nBufferLength=0x105, lpBuffer=0xf1e310, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", lpFilePart=0x0) returned 0x33 [0083.306] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb")) returned 0 [0083.306] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e060, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x3e [0083.307] SetErrorMode (uMode=0x1) returned 0x0 [0083.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\#DECRYPT MY FILES#.html" (normalized: "c:\\program files\\common files\\designer\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0083.308] GetFileType (hFile=0x30c) returned 0x1 [0083.308] SetErrorMode (uMode=0x0) returned 0x1 [0083.308] GetFileType (hFile=0x30c) returned 0x1 [0083.308] WriteFile (in: hFile=0x30c, lpBuffer=0x3240a10*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5c8, lpOverlapped=0x0 | out: lpBuffer=0x3240a10*, lpNumberOfBytesWritten=0xf1e5c8*=0x1000, lpOverlapped=0x0) returned 1 [0083.309] WriteFile (in: hFile=0x30c, lpBuffer=0x3240a10*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e5c8, lpOverlapped=0x0 | out: lpBuffer=0x3240a10*, lpNumberOfBytesWritten=0xf1e5c8*=0x443, lpOverlapped=0x0) returned 1 [0083.309] CloseHandle (hObject=0x30c) returned 1 [0083.309] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER", nBufferLength=0x105, lpBuffer=0xf1e250, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER", lpFilePart=0x0) returned 0x26 [0083.309] SetErrorMode (uMode=0x1) returned 0x0 [0083.309] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*", lpFindFileData=0xf1e3f0 | out: lpFindFileData=0xf1e3f0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xe7b493f3, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe7b6f6cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0083.310] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xe7b493f3, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe7b6f6cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.310] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7b6f6cb, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xe7b6f6cb, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe7b6f6cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0083.310] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xe79cbd5b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x5b07, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.OLB[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MSADDN~1.PRT")) returned 1 [0083.310] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xe79cbd5b, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x5b07, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.OLB[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT", cAlternateFileName="MSADDN~1.PRT")) returned 0 [0083.310] FindClose (in: hFindFile=0x10b3a10 | out: hFindFile=0x10b3a10) returned 1 [0083.310] SetErrorMode (uMode=0x0) returned 0x1 [0083.310] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0083.310] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0083.310] CoTaskMemFree (pv=0x10be120) [0083.310] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0083.310] CoCreateGuid (in: pguid=0xf1e690 | out: pguid=0xf1e690*(Data1=0xc702a67d, Data2=0x63ff, Data3=0x47b4, Data4=([0]=0x90, [1]=0x1f, [2]=0xf4, [3]=0x85, [4]=0xb3, [5]=0x5f, [6]=0xc, [7]=0x12))) returned 0x0 [0083.311] CoTaskMemAlloc (cb=0x20c) returned 0x10bc9c0 [0083.311] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bc9c0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0083.311] CoTaskMemFree (pv=0x10bc9c0) [0083.311] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0083.311] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared", nBufferLength=0x105, lpBuffer=0xf1e280, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared", lpFilePart=0x0) returned 0x2e [0083.311] SetErrorMode (uMode=0x1) returned 0x0 [0083.311] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\*.*", lpFindFileData=0xf1e420 | out: lpFindFileData=0xf1e420*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3770 [0083.311] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.311] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0083.311] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ink", cAlternateFileName="")) returned 1 [0083.311] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71143a45, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0083.311] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9f60362, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0083.311] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd99442a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0083.311] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0083.312] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0083.312] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0083.312] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0083.312] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2ce22546, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0083.312] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0083.312] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0083.312] FindNextFileW (in: hFindFile=0x10b3770, lpFindFileData=0xf1e430 | out: lpFindFileData=0xf1e430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 0 [0083.312] FindClose (in: hFindFile=0x10b3770 | out: hFindFile=0x10b3770) returned 1 [0083.312] SetErrorMode (uMode=0x0) returned 0x1 [0083.312] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\#DECRYPT MY FILES#.html", nBufferLength=0x105, lpBuffer=0xf1e060, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\#DECRYPT MY FILES#.html", lpFilePart=0x0) returned 0x46 [0083.312] SetErrorMode (uMode=0x1) returned 0x0 [0083.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\#DECRYPT MY FILES#.html" (normalized: "c:\\program files\\common files\\microsoft shared\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0083.313] GetFileType (hFile=0x30c) returned 0x1 [0083.313] SetErrorMode (uMode=0x0) returned 0x1 [0083.313] GetFileType (hFile=0x30c) returned 0x1 [0083.313] WriteFile (in: hFile=0x30c, lpBuffer=0x32464b8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e5c8, lpOverlapped=0x0 | out: lpBuffer=0x32464b8*, lpNumberOfBytesWritten=0xf1e5c8*=0x1000, lpOverlapped=0x0) returned 1 [0083.314] WriteFile (in: hFile=0x30c, lpBuffer=0x32464b8*, nNumberOfBytesToWrite=0x443, lpNumberOfBytesWritten=0xf1e5c8, lpOverlapped=0x0 | out: lpBuffer=0x32464b8*, lpNumberOfBytesWritten=0xf1e5c8*=0x443, lpOverlapped=0x0) returned 1 [0083.314] CloseHandle (hObject=0x30c) returned 1 [0083.314] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared", nBufferLength=0x105, lpBuffer=0xf1e250, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared", lpFilePart=0x0) returned 0x2e [0083.314] SetErrorMode (uMode=0x1) returned 0x0 [0083.314] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\*", lpFindFileData=0xf1e3f0 | out: lpFindFileData=0xf1e3f0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe7b6f6cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3350 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe7b6f6cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7b6f6cb, ftCreationTime.dwHighDateTime=0x1d5ce36, ftLastAccessTime.dwLowDateTime=0xe7b6f6cb, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe7b6f6cb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1443, dwReserved0=0x0, dwReserved1=0x0, cFileName="#DECRYPT MY FILES#.html", cAlternateFileName="#DECRY~1.HTM")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ink", cAlternateFileName="")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71143a45, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9f60362, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd99442a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2ce22546, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0083.315] FindNextFileW (in: hFindFile=0x10b3350, lpFindFileData=0xf1e400 | out: lpFindFileData=0xf1e400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 0 [0083.316] FindClose (in: hFindFile=0x10b3350 | out: hFindFile=0x10b3350) returned 1 [0083.316] SetErrorMode (uMode=0x0) returned 0x1 [0083.316] CoTaskMemAlloc (cb=0x20c) returned 0x10bd680 [0083.316] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10bd680 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0083.316] CoTaskMemFree (pv=0x10bd680) [0083.316] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0083.316] CoCreateGuid (in: pguid=0xf1e5d0 | out: pguid=0xf1e5d0*(Data1=0xf25cf06b, Data2=0xb1d1, Data3=0x4727, Data4=([0]=0xb0, [1]=0x7a, [2]=0xd, [3]=0x22, [4]=0x71, [5]=0x6e, [6]=0x7, [7]=0xd1))) returned 0x0 [0083.316] CoTaskMemAlloc (cb=0x20c) returned 0x10bd8a0 [0083.316] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10bd8a0 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0083.316] CoTaskMemFree (pv=0x10bd8a0) [0083.316] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e220, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0083.316] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun", nBufferLength=0x105, lpBuffer=0xf1e1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun", lpFilePart=0x0) returned 0x39 [0083.316] SetErrorMode (uMode=0x1) returned 0x0 [0083.316] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*", lpFindFileData=0xf1e360 | out: lpFindFileData=0xf1e360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3a10 [0083.317] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="API-MS~1.DLL")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l2-1-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-localization-l1-2-0.dll", cAlternateFileName="API-MS~3.DLL")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-processthreads-l1-1-1.dll", cAlternateFileName="API-MS~4.DLL")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-synch-l1-2-0.dll", cAlternateFileName="APF10C~1.DLL")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-timezone-l1-1-0.dll", cAlternateFileName="AP7902~1.DLL")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-xstate-l2-1-0.dll", cAlternateFileName="APA632~1.DLL")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-conio-l1-1-0.dll", cAlternateFileName="AP5C76~1.DLL")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x58c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-convert-l1-1-0.dll", cAlternateFileName="APFD9C~1.DLL")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-environment-l1-1-0.dll", cAlternateFileName="APC00F~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x50c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-filesystem-l1-1-0.dll", cAlternateFileName="AP0479~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-heap-l1-1-0.dll", cAlternateFileName="AP23C9~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-locale-l1-1-0.dll", cAlternateFileName="APCB40~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x6cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-math-l1-1-0.dll", cAlternateFileName="APAE51~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x68c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-multibyte-l1-1-0.dll", cAlternateFileName="AP972F~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-private-l1-1-0.dll", cAlternateFileName="AP7D9E~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-process-l1-1-0.dll", cAlternateFileName="APFCAD~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x5ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-runtime-l1-1-0.dll", cAlternateFileName="AP8F34~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x60c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-stdio-l1-1-0.dll", cAlternateFileName="APD1B7~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x60c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-string-l1-1-0.dll", cAlternateFileName="APBF0F~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-time-l1-1-0.dll", cAlternateFileName="AP5E4C~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-utility-l1-1-0.dll", cAlternateFileName="AP80F4~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb979f700, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x27c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApiClient.dll", cAlternateFileName="APICLI~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9bc01200, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0xa02d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVCatalog.dll", cAlternateFileName="APPVCA~1.DLL")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x1f5ad8, dwReserved0=0x0, dwReserved1=0x0, cFileName="appvcleaner.exe", cAlternateFileName="APPVCL~1.EXE")) returned 1 [0083.320] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a330a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a330a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x4b0d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVFileSystemMetadata.dll", cAlternateFileName="APPVFI~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a330a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a330a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x2052d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVIntegration.dll", cAlternateFileName="APPVIN~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a59305, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a59305, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x726d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVIsvApi.dll", cAlternateFileName="APPVIS~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe1b7300, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0x60ea0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvIsvStream32.dll", cAlternateFileName="APPVIS~2.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb5e67000, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x73aa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvIsvStream64.dll", cAlternateFileName="APPVIS~3.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x336d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVIsvStreamingManager.dll", cAlternateFileName="APPVIS~4.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa57b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80aa57b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x1566d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVIsvSubsystemController.dll", cAlternateFileName="AP213A~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa57b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80aa57b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x18d60800, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0x1ae0a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvIsvSubsystems32.dll", cAlternateFileName="AP3342~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80acba0b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80acba0b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbbdc5100, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x22e0a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvIsvSubsystems64.dll", cAlternateFileName="AP4400~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80af1c6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80af1c6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x8a8d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVIsvVirtualization.dll", cAlternateFileName="AP485B~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80af1c6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80af1c6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x12cad8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVManifest.dll", cAlternateFileName="APPVMA~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0xe76d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVOrchestration.dll", cAlternateFileName="APPVOR~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x13c4d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVPolicy.dll", cAlternateFileName="APPVPO~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9e226c00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x7d0d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVScripting.dll", cAlternateFileName="APPVSC~1.DLL")) returned 1 [0083.321] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9e226c00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x406d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVShNotify.exe", cAlternateFileName="APPVSH~1.EXE")) returned 1 [0083.322] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x14115400, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0xc84c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2R32.dll", cAlternateFileName="")) returned 1 [0083.322] FindNextFileW (in: hFindFile=0x10b3a10, lpFindFileData=0xf1e370 | out: lpFindFileData=0xf1e370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb4b54300, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x127260, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2R64.dll", cAlternateFileName="")) returned 1 [0083.322] SetErrorMode (uMode=0x0) returned 0x1 [0083.322] SetErrorMode (uMode=0x1) returned 0x0 [0083.322] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0)) returned 1 [0083.323] SetErrorMode (uMode=0x0) returned 0x1 [0083.323] SetErrorMode (uMode=0x1) returned 0x0 [0083.323] SetErrorMode (uMode=0x0) returned 0x1 [0083.323] GetFileType (hFile=0x30c) returned 0x1 [0083.323] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18603, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x15 [0083.335] CloseHandle (hObject=0x30c) returned 1 [0083.336] SetErrorMode (uMode=0x1) returned 0x0 [0083.336] SetErrorMode (uMode=0x0) returned 0x1 [0083.336] GetFileType (hFile=0x30c) returned 0x1 [0083.336] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x48c0 [0083.338] CloseHandle (hObject=0x30c) returned 1 [0083.342] SetErrorMode (uMode=0x1) returned 0x0 [0083.342] SetErrorMode (uMode=0x0) returned 0x1 [0083.342] GetFileType (hFile=0x30c) returned 0x1 [0083.342] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x15 [0083.344] CloseHandle (hObject=0x30c) returned 1 [0083.344] SetErrorMode (uMode=0x1) returned 0x0 [0083.344] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7bbe3d3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6a28)) returned 1 [0083.344] SetErrorMode (uMode=0x0) returned 0x1 [0083.344] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.345] SetErrorMode (uMode=0x1) returned 0x0 [0083.345] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0)) returned 1 [0083.355] SetErrorMode (uMode=0x0) returned 0x1 [0083.355] SetErrorMode (uMode=0x1) returned 0x0 [0083.355] SetErrorMode (uMode=0x0) returned 0x1 [0083.355] GetFileType (hFile=0x30c) returned 0x1 [0083.355] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18603, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x15 [0083.357] CloseHandle (hObject=0x30c) returned 1 [0083.357] SetErrorMode (uMode=0x1) returned 0x0 [0083.357] SetErrorMode (uMode=0x0) returned 0x1 [0083.357] GetFileType (hFile=0x30c) returned 0x1 [0083.357] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x48c0 [0083.360] CloseHandle (hObject=0x30c) returned 1 [0083.364] SetErrorMode (uMode=0x1) returned 0x0 [0083.364] SetErrorMode (uMode=0x0) returned 0x1 [0083.364] GetFileType (hFile=0x30c) returned 0x1 [0083.364] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x15 [0083.365] CloseHandle (hObject=0x30c) returned 1 [0083.366] SetErrorMode (uMode=0x1) returned 0x0 [0083.366] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7c082c3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6a28)) returned 1 [0083.366] SetErrorMode (uMode=0x0) returned 0x1 [0083.366] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.367] SetErrorMode (uMode=0x1) returned 0x0 [0083.367] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x52c0)) returned 1 [0083.367] SetErrorMode (uMode=0x0) returned 0x1 [0083.367] SetErrorMode (uMode=0x1) returned 0x0 [0083.367] SetErrorMode (uMode=0x0) returned 0x1 [0083.367] GetFileType (hFile=0x30c) returned 0x1 [0083.367] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-21177, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x7 [0083.369] CloseHandle (hObject=0x30c) returned 1 [0083.369] SetErrorMode (uMode=0x1) returned 0x0 [0083.369] SetErrorMode (uMode=0x0) returned 0x1 [0083.369] GetFileType (hFile=0x30c) returned 0x1 [0083.369] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x52c0 [0083.371] CloseHandle (hObject=0x30c) returned 1 [0083.378] SetErrorMode (uMode=0x1) returned 0x0 [0083.378] SetErrorMode (uMode=0x0) returned 0x1 [0083.378] GetFileType (hFile=0x30c) returned 0x1 [0083.378] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x7 [0083.379] CloseHandle (hObject=0x30c) returned 1 [0083.379] SetErrorMode (uMode=0x1) returned 0x0 [0083.380] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7c082c3, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x78c6)) returned 1 [0083.380] SetErrorMode (uMode=0x0) returned 0x1 [0083.380] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.381] SetErrorMode (uMode=0x1) returned 0x0 [0083.381] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0)) returned 1 [0083.381] SetErrorMode (uMode=0x0) returned 0x1 [0083.381] SetErrorMode (uMode=0x1) returned 0x0 [0083.381] SetErrorMode (uMode=0x0) returned 0x1 [0083.381] GetFileType (hFile=0x30c) returned 0x1 [0083.381] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-19071, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x41 [0083.383] CloseHandle (hObject=0x30c) returned 1 [0083.383] SetErrorMode (uMode=0x1) returned 0x0 [0083.383] SetErrorMode (uMode=0x0) returned 0x1 [0083.383] GetFileType (hFile=0x30c) returned 0x1 [0083.383] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x4ac0 [0083.385] CloseHandle (hObject=0x30c) returned 1 [0083.388] SetErrorMode (uMode=0x1) returned 0x0 [0083.389] SetErrorMode (uMode=0x0) returned 0x1 [0083.389] GetFileType (hFile=0x30c) returned 0x1 [0083.389] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x41 [0083.390] CloseHandle (hObject=0x30c) returned 1 [0083.390] SetErrorMode (uMode=0x1) returned 0x0 [0083.390] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7c2e56e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6d00)) returned 1 [0083.390] SetErrorMode (uMode=0x0) returned 0x1 [0083.390] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.391] SetErrorMode (uMode=0x1) returned 0x0 [0083.391] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0)) returned 1 [0083.391] SetErrorMode (uMode=0x0) returned 0x1 [0083.391] SetErrorMode (uMode=0x1) returned 0x0 [0083.391] SetErrorMode (uMode=0x0) returned 0x1 [0083.391] GetFileType (hFile=0x30c) returned 0x1 [0083.391] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-19071, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x41 [0083.422] CloseHandle (hObject=0x30c) returned 1 [0083.422] SetErrorMode (uMode=0x1) returned 0x0 [0083.422] SetErrorMode (uMode=0x0) returned 0x1 [0083.422] GetFileType (hFile=0x30c) returned 0x1 [0083.422] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x4ac0 [0083.432] CloseHandle (hObject=0x30c) returned 1 [0083.436] SetErrorMode (uMode=0x1) returned 0x0 [0083.436] SetErrorMode (uMode=0x0) returned 0x1 [0083.436] GetFileType (hFile=0x30c) returned 0x1 [0083.436] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x41 [0083.437] CloseHandle (hObject=0x30c) returned 1 [0083.437] SetErrorMode (uMode=0x1) returned 0x0 [0083.437] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7ca0951, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6d00)) returned 1 [0083.438] SetErrorMode (uMode=0x0) returned 0x1 [0083.438] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.438] SetErrorMode (uMode=0x1) returned 0x0 [0083.438] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0)) returned 1 [0083.439] SetErrorMode (uMode=0x0) returned 0x1 [0083.439] SetErrorMode (uMode=0x1) returned 0x0 [0083.439] SetErrorMode (uMode=0x0) returned 0x1 [0083.439] GetFileType (hFile=0x30c) returned 0x1 [0083.439] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-18603, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x15 [0083.441] CloseHandle (hObject=0x30c) returned 1 [0083.441] SetErrorMode (uMode=0x1) returned 0x0 [0083.441] SetErrorMode (uMode=0x0) returned 0x1 [0083.441] GetFileType (hFile=0x30c) returned 0x1 [0083.441] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x48c0 [0083.444] CloseHandle (hObject=0x30c) returned 1 [0083.447] SetErrorMode (uMode=0x1) returned 0x0 [0083.447] SetErrorMode (uMode=0x0) returned 0x1 [0083.447] GetFileType (hFile=0x30c) returned 0x1 [0083.447] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x15 [0083.448] CloseHandle (hObject=0x30c) returned 1 [0083.449] SetErrorMode (uMode=0x1) returned 0x0 [0083.449] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7cc6bf9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6a28)) returned 1 [0083.449] SetErrorMode (uMode=0x0) returned 0x1 [0083.449] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.451] SetErrorMode (uMode=0x1) returned 0x0 [0083.451] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x2d60)) returned 1 [0083.451] SetErrorMode (uMode=0x0) returned 0x1 [0083.451] SetErrorMode (uMode=0x1) returned 0x0 [0083.451] SetErrorMode (uMode=0x0) returned 0x1 [0083.451] GetFileType (hFile=0x30c) returned 0x1 [0083.451] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-11583, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x21 [0083.453] CloseHandle (hObject=0x30c) returned 1 [0083.453] SetErrorMode (uMode=0x1) returned 0x0 [0083.453] SetErrorMode (uMode=0x0) returned 0x1 [0083.453] GetFileType (hFile=0x30c) returned 0x1 [0083.453] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x2d60 [0083.455] CloseHandle (hObject=0x30c) returned 1 [0083.457] SetErrorMode (uMode=0x1) returned 0x0 [0083.457] SetErrorMode (uMode=0x0) returned 0x1 [0083.457] GetFileType (hFile=0x30c) returned 0x1 [0083.458] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x21 [0083.459] CloseHandle (hObject=0x30c) returned 1 [0083.459] SetErrorMode (uMode=0x1) returned 0x0 [0083.459] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7ced0e8, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x4234)) returned 1 [0083.459] SetErrorMode (uMode=0x0) returned 0x1 [0083.459] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.460] SetErrorMode (uMode=0x1) returned 0x0 [0083.460] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0)) returned 1 [0083.460] SetErrorMode (uMode=0x0) returned 0x1 [0083.460] SetErrorMode (uMode=0x1) returned 0x0 [0083.461] SetErrorMode (uMode=0x0) returned 0x1 [0083.461] GetFileType (hFile=0x30c) returned 0x1 [0083.461] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-19539, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x6d [0083.495] CloseHandle (hObject=0x30c) returned 1 [0083.496] SetErrorMode (uMode=0x1) returned 0x0 [0083.496] SetErrorMode (uMode=0x0) returned 0x1 [0083.496] GetFileType (hFile=0x30c) returned 0x1 [0083.496] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x4cc0 [0083.498] CloseHandle (hObject=0x30c) returned 1 [0083.501] SetErrorMode (uMode=0x1) returned 0x0 [0083.502] SetErrorMode (uMode=0x0) returned 0x1 [0083.502] GetFileType (hFile=0x30c) returned 0x1 [0083.502] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x6d [0083.503] CloseHandle (hObject=0x30c) returned 1 [0083.503] SetErrorMode (uMode=0x1) returned 0x0 [0083.503] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7d392e9, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6fd8)) returned 1 [0083.503] SetErrorMode (uMode=0x0) returned 0x1 [0083.504] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.504] SetErrorMode (uMode=0x1) returned 0x0 [0083.504] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x58c0)) returned 1 [0083.504] SetErrorMode (uMode=0x0) returned 0x1 [0083.505] SetErrorMode (uMode=0x1) returned 0x0 [0083.505] SetErrorMode (uMode=0x0) returned 0x1 [0083.505] GetFileType (hFile=0x30c) returned 0x1 [0083.505] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-22698, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x16 [0083.747] CloseHandle (hObject=0x30c) returned 1 [0083.747] SetErrorMode (uMode=0x1) returned 0x0 [0083.748] SetErrorMode (uMode=0x0) returned 0x1 [0083.748] GetFileType (hFile=0x30c) returned 0x1 [0083.748] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x58c0 [0083.750] CloseHandle (hObject=0x30c) returned 1 [0083.755] SetErrorMode (uMode=0x1) returned 0x0 [0083.755] SetErrorMode (uMode=0x0) returned 0x1 [0083.755] GetFileType (hFile=0x30c) returned 0x1 [0083.755] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x16 [0083.757] CloseHandle (hObject=0x30c) returned 1 [0083.757] SetErrorMode (uMode=0x1) returned 0x0 [0083.757] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7fc1e09, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x8181)) returned 1 [0083.757] SetErrorMode (uMode=0x0) returned 0x1 [0083.757] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.758] SetErrorMode (uMode=0x1) returned 0x0 [0083.758] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0)) returned 1 [0083.760] SetErrorMode (uMode=0x0) returned 0x1 [0083.760] SetErrorMode (uMode=0x1) returned 0x0 [0083.760] SetErrorMode (uMode=0x0) returned 0x1 [0083.760] GetFileType (hFile=0x30c) returned 0x1 [0083.760] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-19071, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x41 [0083.763] CloseHandle (hObject=0x30c) returned 1 [0083.763] SetErrorMode (uMode=0x1) returned 0x0 [0083.763] SetErrorMode (uMode=0x0) returned 0x1 [0083.763] GetFileType (hFile=0x30c) returned 0x1 [0083.763] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x4ac0 [0083.765] CloseHandle (hObject=0x30c) returned 1 [0083.852] SetErrorMode (uMode=0x1) returned 0x0 [0083.852] SetErrorMode (uMode=0x0) returned 0x1 [0083.852] GetFileType (hFile=0x30c) returned 0x1 [0083.853] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x41 [0083.854] CloseHandle (hObject=0x30c) returned 1 [0083.854] SetErrorMode (uMode=0x1) returned 0x0 [0083.854] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe80a6b61, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6d00)) returned 1 [0083.854] SetErrorMode (uMode=0x0) returned 0x1 [0083.854] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.855] SetErrorMode (uMode=0x1) returned 0x0 [0083.855] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x50c0)) returned 1 [0083.855] SetErrorMode (uMode=0x0) returned 0x1 [0083.855] SetErrorMode (uMode=0x1) returned 0x0 [0083.856] SetErrorMode (uMode=0x0) returned 0x1 [0083.856] GetFileType (hFile=0x30c) returned 0x1 [0083.856] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-20592, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x50 [0083.858] CloseHandle (hObject=0x30c) returned 1 [0083.858] SetErrorMode (uMode=0x1) returned 0x0 [0083.858] SetErrorMode (uMode=0x0) returned 0x1 [0083.858] GetFileType (hFile=0x30c) returned 0x1 [0083.858] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x50c0 [0083.860] CloseHandle (hObject=0x30c) returned 1 [0083.864] SetErrorMode (uMode=0x1) returned 0x0 [0083.864] SetErrorMode (uMode=0x0) returned 0x1 [0083.864] GetFileType (hFile=0x30c) returned 0x1 [0083.864] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x50 [0083.865] CloseHandle (hObject=0x30c) returned 1 [0083.866] SetErrorMode (uMode=0x1) returned 0x0 [0083.866] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe80ccda2, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x75bb)) returned 1 [0083.866] SetErrorMode (uMode=0x0) returned 0x1 [0083.866] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.867] SetErrorMode (uMode=0x1) returned 0x0 [0083.867] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0)) returned 1 [0083.867] SetErrorMode (uMode=0x0) returned 0x1 [0083.867] SetErrorMode (uMode=0x1) returned 0x0 [0083.867] SetErrorMode (uMode=0x0) returned 0x1 [0083.867] GetFileType (hFile=0x30c) returned 0x1 [0083.867] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-19539, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x6d [0083.870] CloseHandle (hObject=0x30c) returned 1 [0083.870] SetErrorMode (uMode=0x1) returned 0x0 [0083.870] SetErrorMode (uMode=0x0) returned 0x1 [0083.870] GetFileType (hFile=0x30c) returned 0x1 [0083.870] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x4cc0 [0083.872] CloseHandle (hObject=0x30c) returned 1 [0083.875] SetErrorMode (uMode=0x1) returned 0x0 [0083.876] SetErrorMode (uMode=0x0) returned 0x1 [0083.876] GetFileType (hFile=0x30c) returned 0x1 [0083.876] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x6d [0083.877] CloseHandle (hObject=0x30c) returned 1 [0083.877] SetErrorMode (uMode=0x1) returned 0x0 [0083.877] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe80ccda2, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6fd8)) returned 1 [0083.877] SetErrorMode (uMode=0x0) returned 0x1 [0083.877] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.878] SetErrorMode (uMode=0x1) returned 0x0 [0083.878] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0)) returned 1 [0083.878] SetErrorMode (uMode=0x0) returned 0x1 [0083.878] SetErrorMode (uMode=0x1) returned 0x0 [0083.879] SetErrorMode (uMode=0x0) returned 0x1 [0083.879] GetFileType (hFile=0x30c) returned 0x1 [0083.879] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-19071, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x41 [0083.880] CloseHandle (hObject=0x30c) returned 1 [0083.880] SetErrorMode (uMode=0x1) returned 0x0 [0083.881] SetErrorMode (uMode=0x0) returned 0x1 [0083.881] GetFileType (hFile=0x30c) returned 0x1 [0083.881] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x4ac0 [0083.883] CloseHandle (hObject=0x30c) returned 1 [0083.886] SetErrorMode (uMode=0x1) returned 0x0 [0083.886] SetErrorMode (uMode=0x0) returned 0x1 [0083.886] GetFileType (hFile=0x30c) returned 0x1 [0083.886] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x41 [0083.888] CloseHandle (hObject=0x30c) returned 1 [0083.888] SetErrorMode (uMode=0x1) returned 0x0 [0083.888] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe80f2d1d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6d00)) returned 1 [0083.888] SetErrorMode (uMode=0x0) returned 0x1 [0083.888] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.889] SetErrorMode (uMode=0x1) returned 0x0 [0083.889] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x6cc0)) returned 1 [0083.937] SetErrorMode (uMode=0x0) returned 0x1 [0083.940] SetErrorMode (uMode=0x1) returned 0x0 [0083.940] SetErrorMode (uMode=0x0) returned 0x1 [0083.940] GetFileType (hFile=0x30c) returned 0x1 [0083.940] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-27729, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x6f [0083.942] CloseHandle (hObject=0x30c) returned 1 [0083.942] SetErrorMode (uMode=0x1) returned 0x0 [0083.942] SetErrorMode (uMode=0x0) returned 0x1 [0083.942] GetFileType (hFile=0x30c) returned 0x1 [0083.942] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x6cc0 [0083.945] CloseHandle (hObject=0x30c) returned 1 [0083.949] SetErrorMode (uMode=0x1) returned 0x0 [0083.949] SetErrorMode (uMode=0x0) returned 0x1 [0083.949] GetFileType (hFile=0x30c) returned 0x1 [0083.949] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x6f [0083.951] CloseHandle (hObject=0x30c) returned 1 [0083.951] SetErrorMode (uMode=0x1) returned 0x0 [0083.951] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe818b7d0, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x9e82)) returned 1 [0083.951] SetErrorMode (uMode=0x0) returned 0x1 [0083.952] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.952] SetErrorMode (uMode=0x1) returned 0x0 [0083.952] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x68c0)) returned 1 [0083.953] SetErrorMode (uMode=0x0) returned 0x1 [0083.953] SetErrorMode (uMode=0x1) returned 0x0 [0083.953] SetErrorMode (uMode=0x0) returned 0x1 [0083.953] GetFileType (hFile=0x30c) returned 0x1 [0083.953] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-26793, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x17 [0083.954] CloseHandle (hObject=0x30c) returned 1 [0083.955] SetErrorMode (uMode=0x1) returned 0x0 [0083.955] SetErrorMode (uMode=0x0) returned 0x1 [0083.955] GetFileType (hFile=0x30c) returned 0x1 [0083.955] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x68c0 [0083.957] CloseHandle (hObject=0x30c) returned 1 [0083.962] SetErrorMode (uMode=0x1) returned 0x0 [0083.962] SetErrorMode (uMode=0x0) returned 0x1 [0083.962] GetFileType (hFile=0x30c) returned 0x1 [0083.962] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x17 [0083.963] CloseHandle (hObject=0x30c) returned 1 [0083.964] SetErrorMode (uMode=0x1) returned 0x0 [0083.964] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe81b1b8d, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x98d6)) returned 1 [0083.964] SetErrorMode (uMode=0x0) returned 0x1 [0083.964] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0083.965] SetErrorMode (uMode=0x1) returned 0x0 [0083.965] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x114c0)) returned 1 [0083.965] SetErrorMode (uMode=0x0) returned 0x1 [0083.965] SetErrorMode (uMode=0x1) returned 0x0 [0083.965] SetErrorMode (uMode=0x0) returned 0x1 [0083.965] GetFileType (hFile=0x30c) returned 0x1 [0083.965] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x1ac1 [0083.967] CloseHandle (hObject=0x30c) returned 1 [0083.967] SetErrorMode (uMode=0x1) returned 0x0 [0083.967] SetErrorMode (uMode=0x0) returned 0x1 [0083.967] GetFileType (hFile=0x30c) returned 0x1 [0083.967] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x114c0 [0083.970] CloseHandle (hObject=0x30c) returned 1 [0084.006] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll", lpFilePart=0x0) returned 0x5b [0084.006] SetErrorMode (uMode=0x1) returned 0x0 [0084.006] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.006] SetErrorMode (uMode=0x0) returned 0x1 [0084.006] GetFileType (hFile=0x30c) returned 0x1 [0084.006] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x1ac1 [0084.009] CloseHandle (hObject=0x30c) returned 1 [0084.009] SetErrorMode (uMode=0x1) returned 0x0 [0084.009] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8224552, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x18780)) returned 1 [0084.010] SetErrorMode (uMode=0x0) returned 0x1 [0084.010] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.010] SetErrorMode (uMode=0x1) returned 0x0 [0084.010] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0)) returned 1 [0084.011] SetErrorMode (uMode=0x0) returned 0x1 [0084.011] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll", lpFilePart=0x0) returned 0x5b [0084.011] SetErrorMode (uMode=0x1) returned 0x0 [0084.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.011] SetErrorMode (uMode=0x0) returned 0x1 [0084.011] GetFileType (hFile=0x30c) returned 0x1 [0084.011] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-19539, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x6d [0084.013] CloseHandle (hObject=0x30c) returned 1 [0084.013] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll", lpFilePart=0x0) returned 0x5b [0084.013] SetErrorMode (uMode=0x1) returned 0x0 [0084.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.013] SetErrorMode (uMode=0x0) returned 0x1 [0084.013] GetFileType (hFile=0x30c) returned 0x1 [0084.013] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x4cc0 [0084.015] CloseHandle (hObject=0x30c) returned 1 [0084.029] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll", lpFilePart=0x0) returned 0x5b [0084.029] SetErrorMode (uMode=0x1) returned 0x0 [0084.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.029] SetErrorMode (uMode=0x0) returned 0x1 [0084.029] GetFileType (hFile=0x30c) returned 0x1 [0084.029] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x6d [0084.031] CloseHandle (hObject=0x30c) returned 1 [0084.031] SetErrorMode (uMode=0x1) returned 0x0 [0084.031] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe824a620, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6fd8)) returned 1 [0084.031] SetErrorMode (uMode=0x0) returned 0x1 [0084.031] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.032] SetErrorMode (uMode=0x1) returned 0x0 [0084.032] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x5ac0)) returned 1 [0084.063] SetErrorMode (uMode=0x0) returned 0x1 [0084.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll", lpFilePart=0x0) returned 0x5b [0084.064] SetErrorMode (uMode=0x1) returned 0x0 [0084.064] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.064] SetErrorMode (uMode=0x0) returned 0x1 [0084.064] GetFileType (hFile=0x30c) returned 0x1 [0084.064] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-23166, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x42 [0084.066] CloseHandle (hObject=0x30c) returned 1 [0084.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll", lpFilePart=0x0) returned 0x5b [0084.066] SetErrorMode (uMode=0x1) returned 0x0 [0084.066] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.067] SetErrorMode (uMode=0x0) returned 0x1 [0084.067] GetFileType (hFile=0x30c) returned 0x1 [0084.067] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x5ac0 [0084.069] CloseHandle (hObject=0x30c) returned 1 [0084.078] SetErrorMode (uMode=0x1) returned 0x0 [0084.078] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.078] SetErrorMode (uMode=0x0) returned 0x1 [0084.078] GetFileType (hFile=0x30c) returned 0x1 [0084.078] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x42 [0084.080] CloseHandle (hObject=0x30c) returned 1 [0084.080] SetErrorMode (uMode=0x1) returned 0x0 [0084.080] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe82bca0c, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x8455)) returned 1 [0084.080] SetErrorMode (uMode=0x0) returned 0x1 [0084.080] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.081] SetErrorMode (uMode=0x1) returned 0x0 [0084.081] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x60c0)) returned 1 [0084.081] SetErrorMode (uMode=0x0) returned 0x1 [0084.081] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll", lpFilePart=0x0) returned 0x59 [0084.081] SetErrorMode (uMode=0x1) returned 0x0 [0084.082] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.082] SetErrorMode (uMode=0x0) returned 0x1 [0084.082] GetFileType (hFile=0x30c) returned 0x1 [0084.082] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-24687, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x51 [0084.085] CloseHandle (hObject=0x30c) returned 1 [0084.085] SetErrorMode (uMode=0x1) returned 0x0 [0084.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.085] SetErrorMode (uMode=0x0) returned 0x1 [0084.085] GetFileType (hFile=0x30c) returned 0x1 [0084.086] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x60c0 [0084.088] CloseHandle (hObject=0x30c) returned 1 [0084.092] SetErrorMode (uMode=0x1) returned 0x0 [0084.092] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.092] SetErrorMode (uMode=0x0) returned 0x1 [0084.092] GetFileType (hFile=0x30c) returned 0x1 [0084.092] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x51 [0084.094] CloseHandle (hObject=0x30c) returned 1 [0084.094] SetErrorMode (uMode=0x1) returned 0x0 [0084.094] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe82e2bf7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x8d10)) returned 1 [0084.094] SetErrorMode (uMode=0x0) returned 0x1 [0084.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.095] SetErrorMode (uMode=0x1) returned 0x0 [0084.095] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x60c0)) returned 1 [0084.095] SetErrorMode (uMode=0x0) returned 0x1 [0084.095] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll", lpFilePart=0x0) returned 0x5a [0084.095] SetErrorMode (uMode=0x1) returned 0x0 [0084.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.095] SetErrorMode (uMode=0x0) returned 0x1 [0084.095] GetFileType (hFile=0x30c) returned 0x1 [0084.095] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-24687, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x51 [0084.097] CloseHandle (hObject=0x30c) returned 1 [0084.097] SetErrorMode (uMode=0x1) returned 0x0 [0084.097] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.098] SetErrorMode (uMode=0x0) returned 0x1 [0084.098] GetFileType (hFile=0x30c) returned 0x1 [0084.098] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x60c0 [0084.106] CloseHandle (hObject=0x30c) returned 1 [0084.110] SetErrorMode (uMode=0x1) returned 0x0 [0084.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.111] SetErrorMode (uMode=0x0) returned 0x1 [0084.111] GetFileType (hFile=0x30c) returned 0x1 [0084.111] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x51 [0084.112] CloseHandle (hObject=0x30c) returned 1 [0084.112] SetErrorMode (uMode=0x1) returned 0x0 [0084.112] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe830910a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x8d10)) returned 1 [0084.113] SetErrorMode (uMode=0x0) returned 0x1 [0084.113] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.113] SetErrorMode (uMode=0x1) returned 0x0 [0084.113] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x52c0)) returned 1 [0084.113] SetErrorMode (uMode=0x0) returned 0x1 [0084.114] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll", lpFilePart=0x0) returned 0x58 [0084.114] SetErrorMode (uMode=0x1) returned 0x0 [0084.114] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.114] SetErrorMode (uMode=0x0) returned 0x1 [0084.114] GetFileType (hFile=0x30c) returned 0x1 [0084.114] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-21177, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x7 [0084.118] CloseHandle (hObject=0x30c) returned 1 [0084.118] SetErrorMode (uMode=0x1) returned 0x0 [0084.118] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.118] SetErrorMode (uMode=0x0) returned 0x1 [0084.118] GetFileType (hFile=0x30c) returned 0x1 [0084.119] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x52c0 [0084.121] CloseHandle (hObject=0x30c) returned 1 [0084.128] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll", lpFilePart=0x0) returned 0x58 [0084.128] SetErrorMode (uMode=0x1) returned 0x0 [0084.128] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.128] SetErrorMode (uMode=0x0) returned 0x1 [0084.128] GetFileType (hFile=0x30c) returned 0x1 [0084.128] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x7 [0084.129] CloseHandle (hObject=0x30c) returned 1 [0084.130] SetErrorMode (uMode=0x1) returned 0x0 [0084.130] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe832f531, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x78c6)) returned 1 [0084.130] SetErrorMode (uMode=0x0) returned 0x1 [0084.130] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.131] SetErrorMode (uMode=0x1) returned 0x0 [0084.131] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0)) returned 1 [0084.131] SetErrorMode (uMode=0x0) returned 0x1 [0084.131] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll", lpFilePart=0x0) returned 0x5b [0084.131] SetErrorMode (uMode=0x1) returned 0x0 [0084.131] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.131] SetErrorMode (uMode=0x0) returned 0x1 [0084.132] GetFileType (hFile=0x30c) returned 0x1 [0084.132] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-19071, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x41 [0084.133] CloseHandle (hObject=0x30c) returned 1 [0084.133] SetErrorMode (uMode=0x1) returned 0x0 [0084.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.134] SetErrorMode (uMode=0x0) returned 0x1 [0084.134] GetFileType (hFile=0x30c) returned 0x1 [0084.134] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x4ac0 [0084.136] CloseHandle (hObject=0x30c) returned 1 [0084.139] SetErrorMode (uMode=0x1) returned 0x0 [0084.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.140] SetErrorMode (uMode=0x0) returned 0x1 [0084.140] GetFileType (hFile=0x30c) returned 0x1 [0084.140] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x41 [0084.141] CloseHandle (hObject=0x30c) returned 1 [0084.141] SetErrorMode (uMode=0x1) returned 0x0 [0084.141] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe83556e7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x6d00)) returned 1 [0084.141] SetErrorMode (uMode=0x0) returned 0x1 [0084.141] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.142] SetErrorMode (uMode=0x1) returned 0x0 [0084.142] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb979f700, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x27c40)) returned 1 [0084.142] SetErrorMode (uMode=0x0) returned 0x1 [0084.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll", lpFilePart=0x0) returned 0x47 [0084.142] SetErrorMode (uMode=0x1) returned 0x0 [0084.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.143] SetErrorMode (uMode=0x0) returned 0x1 [0084.143] GetFileType (hFile=0x30c) returned 0x1 [0084.143] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x18241 [0084.154] CloseHandle (hObject=0x30c) returned 1 [0084.154] SetErrorMode (uMode=0x1) returned 0x0 [0084.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.157] SetErrorMode (uMode=0x0) returned 0x1 [0084.158] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll", lpFilePart=0x0) returned 0x49 [0084.158] SetErrorMode (uMode=0x1) returned 0x0 [0084.158] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9bc01200, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0xa02d8)) returned 1 [0084.158] SetErrorMode (uMode=0x0) returned 0x1 [0084.158] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll", lpFilePart=0x0) returned 0x49 [0084.159] SetErrorMode (uMode=0x1) returned 0x0 [0084.159] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.159] SetErrorMode (uMode=0x0) returned 0x1 [0084.159] GetFileType (hFile=0x30c) returned 0x1 [0084.159] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x908d9 [0084.160] CloseHandle (hObject=0x30c) returned 1 [0084.161] SetErrorMode (uMode=0x1) returned 0x0 [0084.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.163] SetErrorMode (uMode=0x0) returned 0x1 [0084.164] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe", lpFilePart=0x0) returned 0x49 [0084.164] SetErrorMode (uMode=0x1) returned 0x0 [0084.164] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x1f5ad8)) returned 1 [0084.165] SetErrorMode (uMode=0x0) returned 0x1 [0084.165] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe", lpFilePart=0x0) returned 0x49 [0084.165] SetErrorMode (uMode=0x1) returned 0x0 [0084.165] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.165] SetErrorMode (uMode=0x0) returned 0x1 [0084.165] GetFileType (hFile=0x30c) returned 0x1 [0084.165] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x1e60d9 [0084.167] CloseHandle (hObject=0x30c) returned 1 [0084.167] SetErrorMode (uMode=0x1) returned 0x0 [0084.167] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.167] SetErrorMode (uMode=0x0) returned 0x1 [0084.168] GetFileType (hFile=0x30c) returned 0x1 [0084.168] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x1f5ad8 [0084.173] CloseHandle (hObject=0x30c) returned 1 [0084.192] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe", lpFilePart=0x0) returned 0x49 [0084.192] SetErrorMode (uMode=0x1) returned 0x0 [0084.192] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.192] SetErrorMode (uMode=0x0) returned 0x1 [0084.192] GetFileType (hFile=0x30c) returned 0x1 [0084.192] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x1e60d9 [0084.203] CloseHandle (hObject=0x30c) returned 1 [0084.203] SetErrorMode (uMode=0x1) returned 0x0 [0084.203] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe83edf83, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1fcd98)) returned 1 [0084.203] SetErrorMode (uMode=0x0) returned 0x1 [0084.203] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.204] SetErrorMode (uMode=0x1) returned 0x0 [0084.204] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a330a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a330a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x4b0d8)) returned 1 [0084.204] SetErrorMode (uMode=0x0) returned 0x1 [0084.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll", lpFilePart=0x0) returned 0x54 [0084.204] SetErrorMode (uMode=0x1) returned 0x0 [0084.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.204] SetErrorMode (uMode=0x0) returned 0x1 [0084.204] GetFileType (hFile=0x30c) returned 0x1 [0084.205] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x3b6d9 [0084.210] CloseHandle (hObject=0x30c) returned 1 [0084.210] SetErrorMode (uMode=0x1) returned 0x0 [0084.210] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.213] SetErrorMode (uMode=0x0) returned 0x1 [0084.213] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll", lpFilePart=0x0) returned 0x4d [0084.213] SetErrorMode (uMode=0x1) returned 0x0 [0084.214] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a330a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a330a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x2052d8)) returned 1 [0084.214] SetErrorMode (uMode=0x0) returned 0x1 [0084.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll", lpFilePart=0x0) returned 0x4d [0084.214] SetErrorMode (uMode=0x1) returned 0x0 [0084.214] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.214] SetErrorMode (uMode=0x0) returned 0x1 [0084.214] GetFileType (hFile=0x30c) returned 0x1 [0084.214] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x1f58d9 [0084.219] CloseHandle (hObject=0x30c) returned 1 [0084.219] SetErrorMode (uMode=0x1) returned 0x0 [0084.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.221] SetErrorMode (uMode=0x0) returned 0x1 [0084.222] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll", lpFilePart=0x0) returned 0x48 [0084.222] SetErrorMode (uMode=0x1) returned 0x0 [0084.222] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a59305, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a59305, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x726d8)) returned 1 [0084.222] SetErrorMode (uMode=0x0) returned 0x1 [0084.222] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll", lpFilePart=0x0) returned 0x48 [0084.223] SetErrorMode (uMode=0x1) returned 0x0 [0084.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.223] SetErrorMode (uMode=0x0) returned 0x1 [0084.223] GetFileType (hFile=0x30c) returned 0x1 [0084.223] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x62cd9 [0084.225] CloseHandle (hObject=0x30c) returned 1 [0084.225] SetErrorMode (uMode=0x1) returned 0x0 [0084.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.228] SetErrorMode (uMode=0x0) returned 0x1 [0084.228] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll", lpFilePart=0x0) returned 0x4d [0084.229] SetErrorMode (uMode=0x1) returned 0x0 [0084.229] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe1b7300, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0x60ea0)) returned 1 [0084.229] SetErrorMode (uMode=0x0) returned 0x1 [0084.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll", lpFilePart=0x0) returned 0x4d [0084.229] SetErrorMode (uMode=0x1) returned 0x0 [0084.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.229] SetErrorMode (uMode=0x0) returned 0x1 [0084.229] GetFileType (hFile=0x30c) returned 0x1 [0084.229] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x514a1 [0084.231] CloseHandle (hObject=0x30c) returned 1 [0084.231] SetErrorMode (uMode=0x1) returned 0x0 [0084.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.231] SetErrorMode (uMode=0x0) returned 0x1 [0084.231] GetFileType (hFile=0x30c) returned 0x1 [0084.231] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x60ea0 [0084.234] CloseHandle (hObject=0x30c) returned 1 [0084.272] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll", lpFilePart=0x0) returned 0x4d [0084.272] SetErrorMode (uMode=0x1) returned 0x0 [0084.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.272] SetErrorMode (uMode=0x0) returned 0x1 [0084.272] GetFileType (hFile=0x30c) returned 0x1 [0084.272] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x514a1 [0084.275] CloseHandle (hObject=0x30c) returned 1 [0084.275] SetErrorMode (uMode=0x1) returned 0x0 [0084.275] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe84ac8f4, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x68160)) returned 1 [0084.275] SetErrorMode (uMode=0x0) returned 0x1 [0084.275] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.276] SetErrorMode (uMode=0x1) returned 0x0 [0084.276] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb5e67000, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x73aa0)) returned 1 [0084.276] SetErrorMode (uMode=0x0) returned 0x1 [0084.276] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll", lpFilePart=0x0) returned 0x4d [0084.276] SetErrorMode (uMode=0x1) returned 0x0 [0084.276] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.276] SetErrorMode (uMode=0x0) returned 0x1 [0084.276] GetFileType (hFile=0x30c) returned 0x1 [0084.276] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x640a1 [0084.278] CloseHandle (hObject=0x30c) returned 1 [0084.278] SetErrorMode (uMode=0x1) returned 0x0 [0084.278] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.281] SetErrorMode (uMode=0x0) returned 0x1 [0084.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll", lpFilePart=0x0) returned 0x55 [0084.282] SetErrorMode (uMode=0x1) returned 0x0 [0084.282] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x336d8)) returned 1 [0084.282] SetErrorMode (uMode=0x0) returned 0x1 [0084.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll", lpFilePart=0x0) returned 0x55 [0084.282] SetErrorMode (uMode=0x1) returned 0x0 [0084.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.282] SetErrorMode (uMode=0x0) returned 0x1 [0084.282] GetFileType (hFile=0x30c) returned 0x1 [0084.282] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x23cd9 [0084.291] CloseHandle (hObject=0x30c) returned 1 [0084.291] SetErrorMode (uMode=0x1) returned 0x0 [0084.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.293] SetErrorMode (uMode=0x0) returned 0x1 [0084.294] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll", lpFilePart=0x0) returned 0x58 [0084.294] SetErrorMode (uMode=0x1) returned 0x0 [0084.294] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa57b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80aa57b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x1566d8)) returned 1 [0084.294] SetErrorMode (uMode=0x0) returned 0x1 [0084.295] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll", lpFilePart=0x0) returned 0x58 [0084.295] SetErrorMode (uMode=0x1) returned 0x0 [0084.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.295] SetErrorMode (uMode=0x0) returned 0x1 [0084.295] GetFileType (hFile=0x30c) returned 0x1 [0084.295] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x146cd9 [0084.298] CloseHandle (hObject=0x30c) returned 1 [0084.298] SetErrorMode (uMode=0x1) returned 0x0 [0084.298] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.300] SetErrorMode (uMode=0x0) returned 0x1 [0084.301] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll", lpFilePart=0x0) returned 0x51 [0084.301] SetErrorMode (uMode=0x1) returned 0x0 [0084.301] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa57b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80aa57b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x18d60800, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0x1ae0a8)) returned 1 [0084.301] SetErrorMode (uMode=0x0) returned 0x1 [0084.301] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll", lpFilePart=0x0) returned 0x51 [0084.301] SetErrorMode (uMode=0x1) returned 0x0 [0084.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.302] SetErrorMode (uMode=0x0) returned 0x1 [0084.302] GetFileType (hFile=0x30c) returned 0x1 [0084.302] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x19e6a9 [0084.307] CloseHandle (hObject=0x30c) returned 1 [0084.307] SetErrorMode (uMode=0x1) returned 0x0 [0084.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.307] SetErrorMode (uMode=0x0) returned 0x1 [0084.307] GetFileType (hFile=0x30c) returned 0x1 [0084.307] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x1ae0a8 [0084.310] CloseHandle (hObject=0x30c) returned 1 [0084.325] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll", lpFilePart=0x0) returned 0x51 [0084.325] SetErrorMode (uMode=0x1) returned 0x0 [0084.325] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.325] SetErrorMode (uMode=0x0) returned 0x1 [0084.325] GetFileType (hFile=0x30c) returned 0x1 [0084.325] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x19e6a9 [0084.328] CloseHandle (hObject=0x30c) returned 1 [0084.328] SetErrorMode (uMode=0x1) returned 0x0 [0084.328] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa57b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80aa57b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe851efdb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b5368)) returned 1 [0084.328] SetErrorMode (uMode=0x0) returned 0x1 [0084.328] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.329] SetErrorMode (uMode=0x1) returned 0x0 [0084.329] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80acba0b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80acba0b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbbdc5100, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x22e0a8)) returned 1 [0084.329] SetErrorMode (uMode=0x0) returned 0x1 [0084.329] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll", lpFilePart=0x0) returned 0x51 [0084.329] SetErrorMode (uMode=0x1) returned 0x0 [0084.329] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.329] SetErrorMode (uMode=0x0) returned 0x1 [0084.330] GetFileType (hFile=0x30c) returned 0x1 [0084.330] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x21e6a9 [0084.355] CloseHandle (hObject=0x30c) returned 1 [0084.356] SetErrorMode (uMode=0x1) returned 0x0 [0084.356] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.358] SetErrorMode (uMode=0x0) returned 0x1 [0084.359] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll", lpFilePart=0x0) returned 0x53 [0084.359] SetErrorMode (uMode=0x1) returned 0x0 [0084.359] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80af1c6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80af1c6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x8a8d8)) returned 1 [0084.359] SetErrorMode (uMode=0x0) returned 0x1 [0084.359] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll", lpFilePart=0x0) returned 0x53 [0084.359] SetErrorMode (uMode=0x1) returned 0x0 [0084.360] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.360] SetErrorMode (uMode=0x0) returned 0x1 [0084.360] GetFileType (hFile=0x30c) returned 0x1 [0084.360] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x7aed9 [0084.362] CloseHandle (hObject=0x30c) returned 1 [0084.362] SetErrorMode (uMode=0x1) returned 0x0 [0084.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.365] SetErrorMode (uMode=0x0) returned 0x1 [0084.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll", lpFilePart=0x0) returned 0x4a [0084.366] SetErrorMode (uMode=0x1) returned 0x0 [0084.366] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80af1c6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80af1c6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x12cad8)) returned 1 [0084.366] SetErrorMode (uMode=0x0) returned 0x1 [0084.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll", lpFilePart=0x0) returned 0x4a [0084.366] SetErrorMode (uMode=0x1) returned 0x0 [0084.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.367] SetErrorMode (uMode=0x0) returned 0x1 [0084.367] GetFileType (hFile=0x30c) returned 0x1 [0084.367] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x11d0d9 [0084.368] CloseHandle (hObject=0x30c) returned 1 [0084.369] SetErrorMode (uMode=0x1) returned 0x0 [0084.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.371] SetErrorMode (uMode=0x0) returned 0x1 [0084.372] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll", lpFilePart=0x0) returned 0x4f [0084.372] SetErrorMode (uMode=0x1) returned 0x0 [0084.372] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0xe76d8)) returned 1 [0084.372] SetErrorMode (uMode=0x0) returned 0x1 [0084.372] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll", lpFilePart=0x0) returned 0x4f [0084.372] SetErrorMode (uMode=0x1) returned 0x0 [0084.372] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.373] SetErrorMode (uMode=0x0) returned 0x1 [0084.373] GetFileType (hFile=0x30c) returned 0x1 [0084.373] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xd7cd9 [0084.375] CloseHandle (hObject=0x30c) returned 1 [0084.375] SetErrorMode (uMode=0x1) returned 0x0 [0084.375] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.378] SetErrorMode (uMode=0x0) returned 0x1 [0084.378] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll", lpFilePart=0x0) returned 0x48 [0084.379] SetErrorMode (uMode=0x1) returned 0x0 [0084.379] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x13c4d8)) returned 1 [0084.379] SetErrorMode (uMode=0x0) returned 0x1 [0084.379] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll", lpFilePart=0x0) returned 0x48 [0084.379] SetErrorMode (uMode=0x1) returned 0x0 [0084.379] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.379] SetErrorMode (uMode=0x0) returned 0x1 [0084.379] GetFileType (hFile=0x30c) returned 0x1 [0084.379] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x12cad9 [0084.381] CloseHandle (hObject=0x30c) returned 1 [0084.381] SetErrorMode (uMode=0x1) returned 0x0 [0084.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.382] SetErrorMode (uMode=0x0) returned 0x1 [0084.383] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll", lpFilePart=0x0) returned 0x4b [0084.383] SetErrorMode (uMode=0x1) returned 0x0 [0084.383] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9e226c00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x7d0d8)) returned 1 [0084.384] SetErrorMode (uMode=0x0) returned 0x1 [0084.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll", lpFilePart=0x0) returned 0x4b [0084.384] SetErrorMode (uMode=0x1) returned 0x0 [0084.384] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.384] SetErrorMode (uMode=0x0) returned 0x1 [0084.384] GetFileType (hFile=0x30c) returned 0x1 [0084.384] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x6d6d9 [0084.387] CloseHandle (hObject=0x30c) returned 1 [0084.387] SetErrorMode (uMode=0x1) returned 0x0 [0084.387] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.387] SetErrorMode (uMode=0x0) returned 0x1 [0084.387] GetFileType (hFile=0x30c) returned 0x1 [0084.387] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x7d0d8 [0084.390] CloseHandle (hObject=0x30c) returned 1 [0084.418] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll", lpFilePart=0x0) returned 0x4b [0084.418] SetErrorMode (uMode=0x1) returned 0x0 [0084.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.419] SetErrorMode (uMode=0x0) returned 0x1 [0084.419] GetFileType (hFile=0x30c) returned 0x1 [0084.419] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x6d6d9 [0084.422] CloseHandle (hObject=0x30c) returned 1 [0084.422] SetErrorMode (uMode=0x1) returned 0x0 [0084.423] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8603d8e, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x84398)) returned 1 [0084.423] SetErrorMode (uMode=0x0) returned 0x1 [0084.423] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.423] SetErrorMode (uMode=0x1) returned 0x0 [0084.423] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9e226c00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x406d8)) returned 1 [0084.424] SetErrorMode (uMode=0x0) returned 0x1 [0084.424] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe", lpFilePart=0x0) returned 0x4a [0084.424] SetErrorMode (uMode=0x1) returned 0x0 [0084.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.424] SetErrorMode (uMode=0x0) returned 0x1 [0084.424] GetFileType (hFile=0x30c) returned 0x1 [0084.424] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x30cd9 [0084.428] CloseHandle (hObject=0x30c) returned 1 [0084.428] SetErrorMode (uMode=0x1) returned 0x0 [0084.428] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.428] SetErrorMode (uMode=0x0) returned 0x1 [0084.428] GetFileType (hFile=0x30c) returned 0x1 [0084.428] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x406d8 [0084.431] CloseHandle (hObject=0x30c) returned 1 [0084.534] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe", lpFilePart=0x0) returned 0x4a [0084.535] SetErrorMode (uMode=0x1) returned 0x0 [0084.535] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.535] SetErrorMode (uMode=0x0) returned 0x1 [0084.535] GetFileType (hFile=0x30c) returned 0x1 [0084.535] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x30cd9 [0084.539] CloseHandle (hObject=0x30c) returned 1 [0084.539] SetErrorMode (uMode=0x1) returned 0x0 [0084.539] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe87350c7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x47998)) returned 1 [0084.539] SetErrorMode (uMode=0x0) returned 0x1 [0084.539] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.540] SetErrorMode (uMode=0x1) returned 0x0 [0084.540] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x14115400, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0xc84c0)) returned 1 [0084.540] SetErrorMode (uMode=0x0) returned 0x1 [0084.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll", lpFilePart=0x0) returned 0x43 [0084.540] SetErrorMode (uMode=0x1) returned 0x0 [0084.540] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.540] SetErrorMode (uMode=0x0) returned 0x1 [0084.540] GetFileType (hFile=0x30c) returned 0x1 [0084.540] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xb8ac1 [0084.543] CloseHandle (hObject=0x30c) returned 1 [0084.543] SetErrorMode (uMode=0x1) returned 0x0 [0084.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.544] SetErrorMode (uMode=0x0) returned 0x1 [0084.544] GetFileType (hFile=0x30c) returned 0x1 [0084.544] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0xc84c0 [0084.547] CloseHandle (hObject=0x30c) returned 1 [0084.563] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll", lpFilePart=0x0) returned 0x43 [0084.563] SetErrorMode (uMode=0x1) returned 0x0 [0084.563] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.564] SetErrorMode (uMode=0x0) returned 0x1 [0084.564] GetFileType (hFile=0x30c) returned 0x1 [0084.564] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0xb8ac1 [0084.567] CloseHandle (hObject=0x30c) returned 1 [0084.567] SetErrorMode (uMode=0x1) returned 0x0 [0084.567] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe875b554, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xcf780)) returned 1 [0084.567] SetErrorMode (uMode=0x0) returned 0x1 [0084.567] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.582] SetErrorMode (uMode=0x1) returned 0x0 [0084.582] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb4b54300, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x127260)) returned 1 [0084.583] SetErrorMode (uMode=0x0) returned 0x1 [0084.583] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll", lpFilePart=0x0) returned 0x43 [0084.583] SetErrorMode (uMode=0x1) returned 0x0 [0084.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.584] SetErrorMode (uMode=0x0) returned 0x1 [0084.584] GetFileType (hFile=0x30c) returned 0x1 [0084.584] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x117861 [0084.586] CloseHandle (hObject=0x30c) returned 1 [0084.586] SetErrorMode (uMode=0x1) returned 0x0 [0084.586] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.587] SetErrorMode (uMode=0x0) returned 0x1 [0084.588] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml", lpFilePart=0x0) returned 0x50 [0084.588] SetErrorMode (uMode=0x1) returned 0x0 [0084.588] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8ee04f00, ftLastWriteTime.dwHighDateTime=0x1d0d67f, nFileSizeHigh=0x0, nFileSizeLow=0x1028)) returned 1 [0084.588] SetErrorMode (uMode=0x0) returned 0x1 [0084.588] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml", lpFilePart=0x0) returned 0x50 [0084.588] SetErrorMode (uMode=0x1) returned 0x0 [0084.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.589] SetErrorMode (uMode=0x0) returned 0x1 [0084.589] GetFileType (hFile=0x30c) returned 0x1 [0084.589] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-4095, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x29 [0084.590] CloseHandle (hObject=0x30c) returned 1 [0084.590] SetErrorMode (uMode=0x1) returned 0x0 [0084.590] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.591] SetErrorMode (uMode=0x0) returned 0x1 [0084.591] GetFileType (hFile=0x30c) returned 0x1 [0084.591] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x1028 [0084.593] CloseHandle (hObject=0x30c) returned 1 [0084.593] SetErrorMode (uMode=0x1) returned 0x0 [0084.594] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.594] SetErrorMode (uMode=0x0) returned 0x1 [0084.594] GetFileType (hFile=0x30c) returned 0x1 [0084.594] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x29 [0084.595] CloseHandle (hObject=0x30c) returned 1 [0084.595] SetErrorMode (uMode=0x1) returned 0x0 [0084.595] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe87a7756, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1794)) returned 1 [0084.595] SetErrorMode (uMode=0x0) returned 0x1 [0084.595] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.596] SetErrorMode (uMode=0x1) returned 0x0 [0084.596] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb3841600, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0xdc4b8)) returned 1 [0084.596] SetErrorMode (uMode=0x0) returned 0x1 [0084.596] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll", lpFilePart=0x0) returned 0x49 [0084.596] SetErrorMode (uMode=0x1) returned 0x0 [0084.596] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.596] SetErrorMode (uMode=0x0) returned 0x1 [0084.596] GetFileType (hFile=0x30c) returned 0x1 [0084.596] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xccab9 [0084.598] CloseHandle (hObject=0x30c) returned 1 [0084.598] SetErrorMode (uMode=0x1) returned 0x0 [0084.598] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.598] SetErrorMode (uMode=0x0) returned 0x1 [0084.598] GetFileType (hFile=0x30c) returned 0x1 [0084.598] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0xdc4b8 [0084.601] CloseHandle (hObject=0x30c) returned 1 [0084.617] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll", lpFilePart=0x0) returned 0x49 [0084.618] SetErrorMode (uMode=0x1) returned 0x0 [0084.618] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.618] SetErrorMode (uMode=0x0) returned 0x1 [0084.618] GetFileType (hFile=0x30c) returned 0x1 [0084.618] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0xccab9 [0084.621] CloseHandle (hObject=0x30c) returned 1 [0084.621] SetErrorMode (uMode=0x1) returned 0x0 [0084.621] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe87f3cd1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xe3778)) returned 1 [0084.621] SetErrorMode (uMode=0x0) returned 0x1 [0084.621] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.622] SetErrorMode (uMode=0x1) returned 0x0 [0084.622] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x514a8)) returned 1 [0084.756] SetErrorMode (uMode=0x0) returned 0x1 [0084.756] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll", lpFilePart=0x0) returned 0x47 [0084.757] SetErrorMode (uMode=0x1) returned 0x0 [0084.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.757] SetErrorMode (uMode=0x0) returned 0x1 [0084.757] GetFileType (hFile=0x30c) returned 0x1 [0084.757] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x41aa9 [0084.759] CloseHandle (hObject=0x30c) returned 1 [0084.759] SetErrorMode (uMode=0x1) returned 0x0 [0084.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.759] SetErrorMode (uMode=0x0) returned 0x1 [0084.759] GetFileType (hFile=0x30c) returned 0x1 [0084.759] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x514a8 [0084.762] CloseHandle (hObject=0x30c) returned 1 [0084.861] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll", lpFilePart=0x0) returned 0x47 [0084.861] SetErrorMode (uMode=0x1) returned 0x0 [0084.861] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.861] SetErrorMode (uMode=0x0) returned 0x1 [0084.861] GetFileType (hFile=0x30c) returned 0x1 [0084.861] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x41aa9 [0084.864] CloseHandle (hObject=0x30c) returned 1 [0084.864] SetErrorMode (uMode=0x1) returned 0x0 [0084.864] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8a30213, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x58768)) returned 1 [0084.864] SetErrorMode (uMode=0x0) returned 0x1 [0084.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.865] SetErrorMode (uMode=0x1) returned 0x0 [0084.865] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbd783a00, ftLastWriteTime.dwHighDateTime=0x1d0d7e5, nFileSizeHigh=0x0, nFileSizeLow=0x66)) returned 1 [0084.865] SetErrorMode (uMode=0x0) returned 0x1 [0084.866] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash", nBufferLength=0x105, lpBuffer=0xf1dfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash", lpFilePart=0x0) returned 0x43 [0084.866] SetErrorMode (uMode=0x1) returned 0x0 [0084.866] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.866] SetErrorMode (uMode=0x0) returned 0x1 [0084.866] GetFileType (hFile=0x30c) returned 0x1 [0084.866] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e608 | out: lpFileSizeHigh=0xf1e608*=0x0) returned 0x66 [0084.867] CloseHandle (hObject=0x30c) returned 1 [0084.867] SetErrorMode (uMode=0x1) returned 0x0 [0084.867] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.867] SetErrorMode (uMode=0x0) returned 0x1 [0084.867] GetFileType (hFile=0x30c) returned 0x1 [0084.867] SetEndOfFile (hFile=0x30c) returned 1 [0084.868] CloseHandle (hObject=0x30c) returned 1 [0084.868] SetErrorMode (uMode=0x1) returned 0x0 [0084.868] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.868] SetErrorMode (uMode=0x0) returned 0x1 [0084.868] GetFileType (hFile=0x30c) returned 0x1 [0084.869] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x0 [0084.869] CloseHandle (hObject=0x30c) returned 1 [0084.869] SetErrorMode (uMode=0x1) returned 0x0 [0084.870] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8a56470, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf)) returned 1 [0084.870] SetErrorMode (uMode=0x0) returned 0x1 [0084.870] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.870] SetErrorMode (uMode=0x1) returned 0x0 [0084.870] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbc470d00, ftLastWriteTime.dwHighDateTime=0x1d0d7e5, nFileSizeHigh=0x0, nFileSizeLow=0x66)) returned 1 [0084.870] SetErrorMode (uMode=0x0) returned 0x1 [0084.871] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash", nBufferLength=0x105, lpBuffer=0xf1dfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash", lpFilePart=0x0) returned 0x46 [0084.871] SetErrorMode (uMode=0x1) returned 0x0 [0084.871] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.871] SetErrorMode (uMode=0x0) returned 0x1 [0084.871] GetFileType (hFile=0x30c) returned 0x1 [0084.871] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e608 | out: lpFileSizeHigh=0xf1e608*=0x0) returned 0x66 [0084.872] CloseHandle (hObject=0x30c) returned 1 [0084.872] SetErrorMode (uMode=0x1) returned 0x0 [0084.872] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.872] SetErrorMode (uMode=0x0) returned 0x1 [0084.872] GetFileType (hFile=0x30c) returned 0x1 [0084.872] SetEndOfFile (hFile=0x30c) returned 1 [0084.873] CloseHandle (hObject=0x30c) returned 1 [0084.873] SetErrorMode (uMode=0x1) returned 0x0 [0084.873] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.873] SetErrorMode (uMode=0x0) returned 0x1 [0084.873] GetFileType (hFile=0x30c) returned 0x1 [0084.873] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x0 [0084.874] CloseHandle (hObject=0x30c) returned 1 [0084.874] SetErrorMode (uMode=0x1) returned 0x0 [0084.874] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8a56470, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xbf)) returned 1 [0084.875] SetErrorMode (uMode=0x0) returned 0x1 [0084.875] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.875] SetErrorMode (uMode=0x1) returned 0x0 [0084.875] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbe3eab00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x10ae80)) returned 1 [0084.876] SetErrorMode (uMode=0x0) returned 0x1 [0084.876] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe", lpFilePart=0x0) returned 0x4e [0084.876] SetErrorMode (uMode=0x1) returned 0x0 [0084.876] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.876] SetErrorMode (uMode=0x0) returned 0x1 [0084.876] GetFileType (hFile=0x30c) returned 0x1 [0084.876] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xfb481 [0084.880] CloseHandle (hObject=0x30c) returned 1 [0084.881] SetErrorMode (uMode=0x1) returned 0x0 [0084.881] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.881] SetErrorMode (uMode=0x0) returned 0x1 [0084.881] GetFileType (hFile=0x30c) returned 0x1 [0084.881] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x10ae80 [0084.884] CloseHandle (hObject=0x30c) returned 1 [0084.904] SetErrorMode (uMode=0x1) returned 0x0 [0084.904] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.904] SetErrorMode (uMode=0x0) returned 0x1 [0084.904] GetFileType (hFile=0x30c) returned 0x1 [0084.904] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0xfb481 [0084.907] CloseHandle (hObject=0x30c) returned 1 [0084.907] SetErrorMode (uMode=0x1) returned 0x0 [0084.907] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8aa2962, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x112140)) returned 1 [0084.908] SetErrorMode (uMode=0x0) returned 0x1 [0084.908] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.908] SetErrorMode (uMode=0x1) returned 0x0 [0084.908] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b8a5e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b8a5e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xa2e72000, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x578d8)) returned 1 [0084.909] SetErrorMode (uMode=0x0) returned 0x1 [0084.909] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe", lpFilePart=0x0) returned 0x49 [0084.909] SetErrorMode (uMode=0x1) returned 0x0 [0084.909] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.909] SetErrorMode (uMode=0x0) returned 0x1 [0084.909] GetFileType (hFile=0x30c) returned 0x1 [0084.909] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x47ed9 [0084.911] CloseHandle (hObject=0x30c) returned 1 [0084.911] SetErrorMode (uMode=0x1) returned 0x0 [0084.911] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.912] SetErrorMode (uMode=0x0) returned 0x1 [0084.912] GetFileType (hFile=0x30c) returned 0x1 [0084.912] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x578d8 [0084.914] CloseHandle (hObject=0x30c) returned 1 [0084.927] SetErrorMode (uMode=0x1) returned 0x0 [0084.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0084.927] SetErrorMode (uMode=0x0) returned 0x1 [0084.927] GetFileType (hFile=0x30c) returned 0x1 [0084.927] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x47ed9 [0084.930] CloseHandle (hObject=0x30c) returned 1 [0084.930] SetErrorMode (uMode=0x1) returned 0x0 [0084.930] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b8a5e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b8a5e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8aeee5a, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x5eb98)) returned 1 [0084.930] SetErrorMode (uMode=0x0) returned 0x1 [0084.930] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0084.931] SetErrorMode (uMode=0x1) returned 0x0 [0084.931] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b8a5e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b8a5e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8745c00, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0x2ffa60)) returned 1 [0084.931] SetErrorMode (uMode=0x0) returned 0x1 [0084.931] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll", lpFilePart=0x0) returned 0x4e [0084.931] SetErrorMode (uMode=0x1) returned 0x0 [0084.931] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.931] SetErrorMode (uMode=0x0) returned 0x1 [0084.931] GetFileType (hFile=0x30c) returned 0x1 [0084.931] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x2f0061 [0084.933] CloseHandle (hObject=0x30c) returned 1 [0084.933] SetErrorMode (uMode=0x1) returned 0x0 [0084.933] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.935] SetErrorMode (uMode=0x0) returned 0x1 [0084.935] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll", lpFilePart=0x0) returned 0x4e [0084.936] SetErrorMode (uMode=0x1) returned 0x0 [0084.936] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80bb0837, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80bb0837, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xad6b600, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0x475e60)) returned 1 [0084.936] SetErrorMode (uMode=0x0) returned 0x1 [0084.936] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll", lpFilePart=0x0) returned 0x4e [0084.936] SetErrorMode (uMode=0x1) returned 0x0 [0084.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.936] SetErrorMode (uMode=0x0) returned 0x1 [0084.936] GetFileType (hFile=0x30c) returned 0x1 [0084.936] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x466461 [0084.975] CloseHandle (hObject=0x30c) returned 1 [0084.976] SetErrorMode (uMode=0x1) returned 0x0 [0084.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.977] SetErrorMode (uMode=0x0) returned 0x1 [0084.978] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll", lpFilePart=0x0) returned 0x48 [0084.978] SetErrorMode (uMode=0x1) returned 0x0 [0084.978] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80bfccf1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80bfccf1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb7179d00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x307ac0)) returned 1 [0084.978] SetErrorMode (uMode=0x0) returned 0x1 [0084.978] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll", lpFilePart=0x0) returned 0x48 [0084.978] SetErrorMode (uMode=0x1) returned 0x0 [0084.978] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.978] SetErrorMode (uMode=0x0) returned 0x1 [0084.978] GetFileType (hFile=0x30c) returned 0x1 [0084.978] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x2f80c1 [0084.982] CloseHandle (hObject=0x30c) returned 1 [0084.982] SetErrorMode (uMode=0x1) returned 0x0 [0084.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.983] SetErrorMode (uMode=0x0) returned 0x1 [0084.984] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll", lpFilePart=0x0) returned 0x50 [0084.984] SetErrorMode (uMode=0x1) returned 0x0 [0084.984] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c22f4a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80c22f4a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x10cc9700, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0x8e6060)) returned 1 [0084.984] SetErrorMode (uMode=0x0) returned 0x1 [0084.984] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll", lpFilePart=0x0) returned 0x50 [0084.984] SetErrorMode (uMode=0x1) returned 0x0 [0084.984] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.984] SetErrorMode (uMode=0x0) returned 0x1 [0084.985] GetFileType (hFile=0x30c) returned 0x1 [0084.985] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x8d6661 [0084.987] CloseHandle (hObject=0x30c) returned 1 [0084.987] SetErrorMode (uMode=0x1) returned 0x0 [0084.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.988] SetErrorMode (uMode=0x0) returned 0x1 [0084.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll", lpFilePart=0x0) returned 0x4d [0084.990] SetErrorMode (uMode=0x1) returned 0x0 [0084.990] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x11fdc400, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0xee60)) returned 1 [0084.990] SetErrorMode (uMode=0x0) returned 0x1 [0084.990] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll", lpFilePart=0x0) returned 0x4d [0084.990] SetErrorMode (uMode=0x1) returned 0x0 [0084.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.990] SetErrorMode (uMode=0x0) returned 0x1 [0084.990] GetFileType (hFile=0x30c) returned 0x1 [0084.990] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-60957, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x43 [0084.993] CloseHandle (hObject=0x30c) returned 1 [0084.993] SetErrorMode (uMode=0x1) returned 0x0 [0084.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0084.993] SetErrorMode (uMode=0x0) returned 0x1 [0084.993] GetFileType (hFile=0x30c) returned 0x1 [0084.993] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0xee60 [0084.996] CloseHandle (hObject=0x30c) returned 1 [0085.008] SetErrorMode (uMode=0x1) returned 0x0 [0085.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0085.008] SetErrorMode (uMode=0x0) returned 0x1 [0085.008] GetFileType (hFile=0x30c) returned 0x1 [0085.008] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x43 [0085.011] CloseHandle (hObject=0x30c) returned 1 [0085.011] SetErrorMode (uMode=0x1) returned 0x0 [0085.011] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8bad776, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x15bae)) returned 1 [0085.011] SetErrorMode (uMode=0x0) returned 0x1 [0085.011] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0085.012] SetErrorMode (uMode=0x1) returned 0x0 [0085.012] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c9565a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80c9565a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1909ea00, ftLastWriteTime.dwHighDateTime=0x1d098bf, nFileSizeHigh=0x0, nFileSizeLow=0xa12a8)) returned 1 [0085.012] SetErrorMode (uMode=0x0) returned 0x1 [0085.012] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll", lpFilePart=0x0) returned 0x46 [0085.012] SetErrorMode (uMode=0x1) returned 0x0 [0085.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.013] SetErrorMode (uMode=0x0) returned 0x1 [0085.013] GetFileType (hFile=0x30c) returned 0x1 [0085.013] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x918a9 [0085.026] CloseHandle (hObject=0x30c) returned 1 [0085.026] SetErrorMode (uMode=0x1) returned 0x0 [0085.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0085.028] SetErrorMode (uMode=0x0) returned 0x1 [0085.028] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll", lpFilePart=0x0) returned 0x46 [0085.028] SetErrorMode (uMode=0x1) returned 0x0 [0085.028] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cbb8b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80cbb8b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x9b0a0)) returned 1 [0085.029] SetErrorMode (uMode=0x0) returned 0x1 [0085.029] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll", lpFilePart=0x0) returned 0x46 [0085.029] SetErrorMode (uMode=0x1) returned 0x0 [0085.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.029] SetErrorMode (uMode=0x0) returned 0x1 [0085.029] GetFileType (hFile=0x30c) returned 0x1 [0085.029] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x8b6a1 [0085.031] CloseHandle (hObject=0x30c) returned 1 [0085.031] SetErrorMode (uMode=0x1) returned 0x0 [0085.031] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0085.032] SetErrorMode (uMode=0x0) returned 0x1 [0085.033] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll", lpFilePart=0x0) returned 0x46 [0085.033] SetErrorMode (uMode=0x1) returned 0x0 [0085.033] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cbb8b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80cbb8b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b6c4400, ftLastWriteTime.dwHighDateTime=0x1d098bf, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a8)) returned 1 [0085.033] SetErrorMode (uMode=0x0) returned 0x1 [0085.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll", lpFilePart=0x0) returned 0x46 [0085.037] SetErrorMode (uMode=0x1) returned 0x0 [0085.037] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.037] SetErrorMode (uMode=0x0) returned 0x1 [0085.037] GetFileType (hFile=0x30c) returned 0x1 [0085.037] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xdb8a9 [0085.039] CloseHandle (hObject=0x30c) returned 1 [0085.039] SetErrorMode (uMode=0x1) returned 0x0 [0085.039] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0085.041] SetErrorMode (uMode=0x0) returned 0x1 [0085.041] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", lpFilePart=0x0) returned 0x4d [0085.041] SetErrorMode (uMode=0x1) returned 0x0 [0085.042] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cbb8b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80cbb8b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb7179d00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x5b1068)) returned 1 [0085.042] SetErrorMode (uMode=0x0) returned 0x1 [0085.042] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", lpFilePart=0x0) returned 0x4d [0085.042] SetErrorMode (uMode=0x1) returned 0x0 [0085.042] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.042] SetErrorMode (uMode=0x0) returned 0x1 [0085.042] GetFileType (hFile=0x30c) returned 0x1 [0085.042] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x5a1669 [0085.045] CloseHandle (hObject=0x30c) returned 1 [0085.045] SetErrorMode (uMode=0x1) returned 0x0 [0085.045] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.045] SetErrorMode (uMode=0x0) returned 0x1 [0085.046] GetFileType (hFile=0x30c) returned 0x1 [0085.046] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x5b1068 [0085.048] CloseHandle (hObject=0x30c) returned 1 [0085.061] SetErrorMode (uMode=0x1) returned 0x0 [0085.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0085.062] SetErrorMode (uMode=0x0) returned 0x1 [0085.062] GetFileType (hFile=0x30c) returned 0x1 [0085.062] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x5a1669 [0085.064] CloseHandle (hObject=0x30c) returned 1 [0085.065] SetErrorMode (uMode=0x1) returned 0x0 [0085.065] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cbb8b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80cbb8b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8c200a1, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x5b8328)) returned 1 [0085.065] SetErrorMode (uMode=0x0) returned 0x1 [0085.065] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0085.066] SetErrorMode (uMode=0x1) returned 0x0 [0085.066] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d07d85, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d07d85, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb7179d00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0xf34d8)) returned 1 [0085.066] SetErrorMode (uMode=0x0) returned 0x1 [0085.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll", lpFilePart=0x0) returned 0x4a [0085.066] SetErrorMode (uMode=0x1) returned 0x0 [0085.066] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.066] SetErrorMode (uMode=0x0) returned 0x1 [0085.066] GetFileType (hFile=0x30c) returned 0x1 [0085.066] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xe3ad9 [0085.081] CloseHandle (hObject=0x30c) returned 1 [0085.081] SetErrorMode (uMode=0x1) returned 0x0 [0085.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.081] SetErrorMode (uMode=0x0) returned 0x1 [0085.081] GetFileType (hFile=0x30c) returned 0x1 [0085.081] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0xf34d8 [0085.084] CloseHandle (hObject=0x30c) returned 1 [0085.097] SetErrorMode (uMode=0x1) returned 0x0 [0085.097] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0085.097] SetErrorMode (uMode=0x0) returned 0x1 [0085.097] GetFileType (hFile=0x30c) returned 0x1 [0085.097] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0xe3ad9 [0085.100] CloseHandle (hObject=0x30c) returned 1 [0085.101] SetErrorMode (uMode=0x1) returned 0x0 [0085.101] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d07d85, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d07d85, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8c927ca, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xfa798)) returned 1 [0085.101] SetErrorMode (uMode=0x0) returned 0x1 [0085.101] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0085.102] SetErrorMode (uMode=0x1) returned 0x0 [0085.102] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d07d85, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d07d85, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbd0d7e00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x2a5e58)) returned 1 [0085.102] SetErrorMode (uMode=0x0) returned 0x1 [0085.102] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpFilePart=0x0) returned 0x4e [0085.102] SetErrorMode (uMode=0x1) returned 0x0 [0085.102] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.102] SetErrorMode (uMode=0x0) returned 0x1 [0085.102] GetFileType (hFile=0x30c) returned 0x1 [0085.102] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x296459 [0085.104] CloseHandle (hObject=0x30c) returned 1 [0085.104] SetErrorMode (uMode=0x1) returned 0x0 [0085.104] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0085.106] SetErrorMode (uMode=0x0) returned 0x1 [0085.106] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml", lpFilePart=0x0) returned 0x52 [0085.106] SetErrorMode (uMode=0x1) returned 0x0 [0085.107] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3f141b52, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x12ae)) returned 1 [0085.121] SetErrorMode (uMode=0x0) returned 0x1 [0085.121] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml", lpFilePart=0x0) returned 0x52 [0085.121] SetErrorMode (uMode=0x1) returned 0x0 [0085.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.122] SetErrorMode (uMode=0x0) returned 0x1 [0085.122] GetFileType (hFile=0x30c) returned 0x1 [0085.122] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-4680, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x66 [0085.123] CloseHandle (hObject=0x30c) returned 1 [0085.123] SetErrorMode (uMode=0x1) returned 0x0 [0085.123] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.124] SetErrorMode (uMode=0x0) returned 0x1 [0085.124] GetFileType (hFile=0x30c) returned 0x1 [0085.124] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x12ae [0085.126] CloseHandle (hObject=0x30c) returned 1 [0085.127] SetErrorMode (uMode=0x1) returned 0x0 [0085.127] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0085.127] SetErrorMode (uMode=0x0) returned 0x1 [0085.127] GetFileType (hFile=0x30c) returned 0x1 [0085.127] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x66 [0085.128] CloseHandle (hObject=0x30c) returned 1 [0085.128] SetErrorMode (uMode=0x1) returned 0x0 [0085.128] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8cb8a10, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x1b25)) returned 1 [0085.128] SetErrorMode (uMode=0x0) returned 0x1 [0085.128] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0085.129] SetErrorMode (uMode=0x1) returned 0x0 [0085.129] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3fa7ec8f, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x1162)) returned 1 [0085.129] SetErrorMode (uMode=0x0) returned 0x1 [0085.129] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml", lpFilePart=0x0) returned 0x54 [0085.129] SetErrorMode (uMode=0x1) returned 0x0 [0085.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.129] SetErrorMode (uMode=0x0) returned 0x1 [0085.129] GetFileType (hFile=0x30c) returned 0x1 [0085.130] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-4446, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x4 [0085.135] CloseHandle (hObject=0x30c) returned 1 [0085.135] SetErrorMode (uMode=0x1) returned 0x0 [0085.135] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.135] SetErrorMode (uMode=0x0) returned 0x1 [0085.135] GetFileType (hFile=0x30c) returned 0x1 [0085.135] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x1162 [0085.137] CloseHandle (hObject=0x30c) returned 1 [0085.138] SetErrorMode (uMode=0x1) returned 0x0 [0085.138] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0085.139] SetErrorMode (uMode=0x0) returned 0x1 [0085.139] GetFileType (hFile=0x30c) returned 0x1 [0085.139] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x4 [0085.139] CloseHandle (hObject=0x30c) returned 1 [0085.140] SetErrorMode (uMode=0x1) returned 0x0 [0085.140] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8cdecc7, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x196f)) returned 1 [0085.140] SetErrorMode (uMode=0x0) returned 0x1 [0085.140] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0085.144] SetErrorMode (uMode=0x1) returned 0x0 [0085.144] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbe3eab00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x101458)) returned 1 [0085.144] SetErrorMode (uMode=0x0) returned 0x1 [0085.144] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll", lpFilePart=0x0) returned 0x4a [0085.144] SetErrorMode (uMode=0x1) returned 0x0 [0085.144] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.144] SetErrorMode (uMode=0x0) returned 0x1 [0085.144] GetFileType (hFile=0x30c) returned 0x1 [0085.144] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xf1a59 [0085.148] CloseHandle (hObject=0x30c) returned 1 [0085.148] SetErrorMode (uMode=0x1) returned 0x0 [0085.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0085.149] SetErrorMode (uMode=0x0) returned 0x1 [0085.150] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll", lpFilePart=0x0) returned 0x46 [0085.150] SetErrorMode (uMode=0x1) returned 0x0 [0085.150] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0xefec0)) returned 1 [0085.151] SetErrorMode (uMode=0x0) returned 0x1 [0085.151] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll", lpFilePart=0x0) returned 0x46 [0085.151] SetErrorMode (uMode=0x1) returned 0x0 [0085.151] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.151] SetErrorMode (uMode=0x0) returned 0x1 [0085.151] GetFileType (hFile=0x30c) returned 0x1 [0085.152] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xe04c1 [0085.154] CloseHandle (hObject=0x30c) returned 1 [0085.154] SetErrorMode (uMode=0x1) returned 0x0 [0085.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.154] SetErrorMode (uMode=0x0) returned 0x1 [0085.154] GetFileType (hFile=0x30c) returned 0x1 [0085.154] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0xefec0 [0085.156] CloseHandle (hObject=0x30c) returned 1 [0085.172] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll", nBufferLength=0x105, lpBuffer=0xf1def0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll", lpFilePart=0x0) returned 0x46 [0085.172] SetErrorMode (uMode=0x1) returned 0x0 [0085.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0085.173] SetErrorMode (uMode=0x0) returned 0x1 [0085.173] GetFileType (hFile=0x30c) returned 0x1 [0085.173] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0xe04c1 [0085.176] CloseHandle (hObject=0x30c) returned 1 [0085.176] SetErrorMode (uMode=0x1) returned 0x0 [0085.176] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8d2b0c0, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0xf7180)) returned 1 [0085.176] SetErrorMode (uMode=0x0) returned 0x1 [0085.176] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0085.179] SetErrorMode (uMode=0x1) returned 0x0 [0085.179] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d7a486, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d7a486, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x5f4b0)) returned 1 [0085.180] SetErrorMode (uMode=0x0) returned 0x1 [0085.180] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll", lpFilePart=0x0) returned 0x49 [0085.180] SetErrorMode (uMode=0x1) returned 0x0 [0085.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.180] SetErrorMode (uMode=0x0) returned 0x1 [0085.180] GetFileType (hFile=0x30c) returned 0x1 [0085.180] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x4fab1 [0085.183] CloseHandle (hObject=0x30c) returned 1 [0085.183] SetErrorMode (uMode=0x1) returned 0x0 [0085.183] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.183] SetErrorMode (uMode=0x0) returned 0x1 [0085.183] GetFileType (hFile=0x30c) returned 0x1 [0085.183] GetFileSize (in: hFile=0x30c, lpFileSizeHigh=0xf1e5d8 | out: lpFileSizeHigh=0xf1e5d8*=0x0) returned 0x5f4b0 [0085.186] CloseHandle (hObject=0x30c) returned 1 [0085.215] SetErrorMode (uMode=0x1) returned 0x0 [0085.215] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0085.216] SetErrorMode (uMode=0x0) returned 0x1 [0085.216] GetFileType (hFile=0x30c) returned 0x1 [0085.216] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0xf1e360*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e360*=0) returned 0x4fab1 [0085.218] CloseHandle (hObject=0x30c) returned 1 [0085.219] SetErrorMode (uMode=0x1) returned 0x0 [0085.219] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e490 | out: lpFileInformation=0xf1e490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d7a486, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d7a486, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8d9d806, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x66770)) returned 1 [0085.219] SetErrorMode (uMode=0x0) returned 0x1 [0085.219] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll[id-qKCXbrQ9].[paradise@all-ransomware.info].PRT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll[id-qkcxbrq9].[paradise@all-ransomware.info].prt")) returned 1 [0085.219] SetErrorMode (uMode=0x1) returned 0x0 [0085.220] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d7a486, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d7a486, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x15ab0)) returned 1 [0085.220] SetErrorMode (uMode=0x0) returned 0x1 [0085.220] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll", lpFilePart=0x0) returned 0x4a [0085.220] SetErrorMode (uMode=0x1) returned 0x0 [0085.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.220] SetErrorMode (uMode=0x0) returned 0x1 [0085.220] GetFileType (hFile=0x30c) returned 0x1 [0085.220] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x60b1 [0085.228] CloseHandle (hObject=0x30c) returned 1 [0085.228] SetErrorMode (uMode=0x1) returned 0x0 [0085.228] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0085.230] SetErrorMode (uMode=0x0) returned 0x1 [0085.231] SetErrorMode (uMode=0x1) returned 0x0 [0085.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\#DECRYPT MY FILES#.html" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\#decrypt my files#.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c [0085.231] SetErrorMode (uMode=0x0) returned 0x1 [0085.231] GetFileType (hFile=0x30c) returned 0x1 [0085.232] WriteFile (in: hFile=0x30c, lpBuffer=0x3061b30*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xf1e508, lpOverlapped=0x0 | out: lpBuffer=0x3061b30*, lpNumberOfBytesWritten=0xf1e508*=0x1000, lpOverlapped=0x0) returned 1 [0085.233] CloseHandle (hObject=0x30c) returned 1 [0085.233] SetErrorMode (uMode=0x1) returned 0x0 [0085.233] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*", lpFindFileData=0xf1e330 | out: lpFindFileData=0xf1e330*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe8d9d806, ftLastAccessTime.dwHighDateTime=0x1d5ce36, ftLastWriteTime.dwLowDateTime=0xe8dc37fb, ftLastWriteTime.dwHighDateTime=0x1d5ce36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b31d0 [0085.234] SetErrorMode (uMode=0x0) returned 0x1 [0085.234] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0085.234] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0085.234] CoTaskMemFree (pv=0x10be120) [0085.234] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xf1e2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming", lpFilePart=0x0) returned 0x1f [0085.234] CoCreateGuid (in: pguid=0xf1e5d0 | out: pguid=0xf1e5d0*(Data1=0x341fb0bf, Data2=0x81f4, Data3=0x438a, Data4=([0]=0x84, [1]=0xc, [2]=0x38, [3]=0x99, [4]=0xaf, [5]=0x72, [6]=0xbf, [7]=0x7e))) returned 0x0 [0085.235] CoTaskMemAlloc (cb=0x20c) returned 0x10be120 [0085.235] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x10be120 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0085.235] CoTaskMemFree (pv=0x10be120) [0085.235] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0xf1e220, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0085.235] SetErrorMode (uMode=0x1) returned 0x0 [0085.235] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*", lpFindFileData=0xf1e360 | out: lpFindFileData=0xf1e360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10b3bf0 [0085.236] SetErrorMode (uMode=0x0) returned 0x1 [0085.236] SetErrorMode (uMode=0x1) returned 0x0 [0085.236] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d100bae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe462e472, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe462e472, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xc137d)) returned 1 [0085.237] SetErrorMode (uMode=0x0) returned 0x1 [0085.237] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0085.237] SetErrorMode (uMode=0x1) returned 0x0 [0085.237] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.237] SetErrorMode (uMode=0x0) returned 0x1 [0085.237] GetFileType (hFile=0x30c) returned 0x1 [0085.237] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xb197e [0085.240] CloseHandle (hObject=0x30c) returned 1 [0085.240] SetErrorMode (uMode=0x1) returned 0x0 [0085.240] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0085.242] SetErrorMode (uMode=0x0) returned 0x1 [0085.242] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0085.243] SetErrorMode (uMode=0x1) returned 0x0 [0085.243] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x69a5)) returned 1 [0085.243] SetErrorMode (uMode=0x0) returned 0x1 [0085.243] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0085.244] SetErrorMode (uMode=0x1) returned 0x0 [0085.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0085.244] SetErrorMode (uMode=0x0) returned 0x1 [0085.244] GetFileType (hFile=0x30c) returned 0x1 [0085.244] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-27027, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x12 [0085.299] CloseHandle (hObject=0x30c) returned 1 [0085.958] SetErrorMode (uMode=0x1) returned 0x0 [0085.958] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0085.960] SetErrorMode (uMode=0x0) returned 0x1 [0085.961] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0085.961] SetErrorMode (uMode=0x1) returned 0x0 [0085.961] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8f49e8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd11f8841, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd11f8841, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x186b84)) returned 1 [0086.009] SetErrorMode (uMode=0x0) returned 0x1 [0086.009] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0086.009] SetErrorMode (uMode=0x1) returned 0x0 [0086.009] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0086.009] SetErrorMode (uMode=0x0) returned 0x1 [0086.009] GetFileType (hFile=0x30c) returned 0x1 [0086.009] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x177185 [0086.012] CloseHandle (hObject=0x30c) returned 1 [0086.012] SetErrorMode (uMode=0x1) returned 0x0 [0086.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.013] SetErrorMode (uMode=0x0) returned 0x1 [0086.014] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe", lpFilePart=0x0) returned 0x4a [0086.014] SetErrorMode (uMode=0x1) returned 0x0 [0086.014] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8f49e8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd121ea9a, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd121ea9a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xc4800)) returned 1 [0086.015] SetErrorMode (uMode=0x0) returned 0x1 [0086.015] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe", lpFilePart=0x0) returned 0x4a [0086.015] SetErrorMode (uMode=0x1) returned 0x0 [0086.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0086.016] SetErrorMode (uMode=0x0) returned 0x1 [0086.016] GetFileType (hFile=0x30c) returned 0x1 [0086.016] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xb4e01 [0086.018] CloseHandle (hObject=0x30c) returned 1 [0086.019] SetErrorMode (uMode=0x1) returned 0x0 [0086.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.020] SetErrorMode (uMode=0x0) returned 0x1 [0086.021] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat", lpFilePart=0x0) returned 0x42 [0086.021] SetErrorMode (uMode=0x1) returned 0x0 [0086.021] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe382bd1f, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe382bd1f, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb620)) returned 1 [0086.031] SetErrorMode (uMode=0x0) returned 0x1 [0086.032] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat", lpFilePart=0x0) returned 0x42 [0086.032] SetErrorMode (uMode=0x1) returned 0x0 [0086.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0086.033] SetErrorMode (uMode=0x0) returned 0x1 [0086.033] GetFileType (hFile=0x30c) returned 0x1 [0086.033] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-46566, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x3a [0086.160] CloseHandle (hObject=0x30c) returned 1 [0086.160] SetErrorMode (uMode=0x1) returned 0x0 [0086.160] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.167] SetErrorMode (uMode=0x0) returned 0x1 [0086.168] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat", lpFilePart=0x0) returned 0x3f [0086.168] SetErrorMode (uMode=0x1) returned 0x0 [0086.168] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c57278, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb269cdea, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb269cdea, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x79bc0)) returned 1 [0086.168] SetErrorMode (uMode=0x0) returned 0x1 [0086.168] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat", lpFilePart=0x0) returned 0x3f [0086.168] SetErrorMode (uMode=0x1) returned 0x0 [0086.169] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0086.169] SetErrorMode (uMode=0x0) returned 0x1 [0086.169] GetFileType (hFile=0x30c) returned 0x1 [0086.169] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x6a1c1 [0086.171] CloseHandle (hObject=0x30c) returned 1 [0086.171] SetErrorMode (uMode=0x1) returned 0x0 [0086.171] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.172] SetErrorMode (uMode=0x0) returned 0x1 [0086.173] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat", lpFilePart=0x0) returned 0x41 [0086.173] SetErrorMode (uMode=0x1) returned 0x0 [0086.173] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe38781cd, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe38781cd, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x10cb30)) returned 1 [0086.173] SetErrorMode (uMode=0x0) returned 0x1 [0086.174] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat", lpFilePart=0x0) returned 0x41 [0086.174] SetErrorMode (uMode=0x1) returned 0x0 [0086.174] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0086.174] SetErrorMode (uMode=0x0) returned 0x1 [0086.174] GetFileType (hFile=0x30c) returned 0x1 [0086.174] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0xfd131 [0086.178] CloseHandle (hObject=0x30c) returned 1 [0086.178] SetErrorMode (uMode=0x1) returned 0x0 [0086.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.180] SetErrorMode (uMode=0x0) returned 0x1 [0086.180] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat", lpFilePart=0x0) returned 0x3f [0086.180] SetErrorMode (uMode=0x1) returned 0x0 [0086.181] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85cc99ae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb28b2edf, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb28b2edf, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x2662f0)) returned 1 [0086.184] SetErrorMode (uMode=0x0) returned 0x1 [0086.184] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat", lpFilePart=0x0) returned 0x3f [0086.184] SetErrorMode (uMode=0x1) returned 0x0 [0086.184] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0086.184] SetErrorMode (uMode=0x0) returned 0x1 [0086.184] GetFileType (hFile=0x30c) returned 0x1 [0086.184] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x2568f1 [0086.187] CloseHandle (hObject=0x30c) returned 1 [0086.187] SetErrorMode (uMode=0x1) returned 0x0 [0086.187] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.188] SetErrorMode (uMode=0x0) returned 0x1 [0086.189] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat", lpFilePart=0x0) returned 0x3f [0086.189] SetErrorMode (uMode=0x1) returned 0x0 [0086.189] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85cc99ae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb281a570, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb281a570, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x339380)) returned 1 [0086.189] SetErrorMode (uMode=0x0) returned 0x1 [0086.189] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat", lpFilePart=0x0) returned 0x3f [0086.189] SetErrorMode (uMode=0x1) returned 0x0 [0086.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0086.189] SetErrorMode (uMode=0x0) returned 0x1 [0086.190] GetFileType (hFile=0x30c) returned 0x1 [0086.190] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x329981 [0086.192] CloseHandle (hObject=0x30c) returned 1 [0086.195] SetErrorMode (uMode=0x1) returned 0x0 [0086.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.196] SetErrorMode (uMode=0x0) returned 0x1 [0086.197] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll", lpFilePart=0x0) returned 0x3d [0086.197] SetErrorMode (uMode=0x1) returned 0x0 [0086.197] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x58400)) returned 1 [0086.203] SetErrorMode (uMode=0x0) returned 0x1 [0086.203] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll", lpFilePart=0x0) returned 0x3d [0086.203] SetErrorMode (uMode=0x1) returned 0x0 [0086.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0086.204] SetErrorMode (uMode=0x0) returned 0x1 [0086.204] GetFileType (hFile=0x30c) returned 0x1 [0086.204] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x48a01 [0086.207] CloseHandle (hObject=0x30c) returned 1 [0086.207] SetErrorMode (uMode=0x1) returned 0x0 [0086.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.209] SetErrorMode (uMode=0x0) returned 0x1 [0086.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll", lpFilePart=0x0) returned 0x3d [0086.210] SetErrorMode (uMode=0x1) returned 0x0 [0086.210] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1ecc00)) returned 1 [0086.210] SetErrorMode (uMode=0x0) returned 0x1 [0086.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll", lpFilePart=0x0) returned 0x3d [0086.210] SetErrorMode (uMode=0x1) returned 0x0 [0086.210] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0086.210] SetErrorMode (uMode=0x0) returned 0x1 [0086.210] GetFileType (hFile=0x30c) returned 0x1 [0086.210] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x1dd201 [0086.223] CloseHandle (hObject=0x30c) returned 1 [0086.223] SetErrorMode (uMode=0x1) returned 0x0 [0086.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.095] SetErrorMode (uMode=0x0) returned 0x1 [0087.096] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe", lpFilePart=0x0) returned 0x4b [0087.097] SetErrorMode (uMode=0x1) returned 0x0 [0087.097] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe467a929, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe467a929, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x59a00)) returned 1 [0087.098] SetErrorMode (uMode=0x0) returned 0x1 [0087.098] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe", lpFilePart=0x0) returned 0x4b [0087.098] SetErrorMode (uMode=0x1) returned 0x0 [0087.098] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.100] SetErrorMode (uMode=0x0) returned 0x1 [0087.100] GetFileType (hFile=0x30c) returned 0x1 [0087.100] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-63999, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x4a001 [0087.102] CloseHandle (hObject=0x30c) returned 1 [0087.103] SetErrorMode (uMode=0x1) returned 0x0 [0087.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.106] SetErrorMode (uMode=0x0) returned 0x1 [0087.107] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml", lpFilePart=0x0) returned 0x3c [0087.107] SetErrorMode (uMode=0x1) returned 0x0 [0087.107] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x972)) returned 1 [0087.109] SetErrorMode (uMode=0x0) returned 0x1 [0087.109] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml", lpFilePart=0x0) returned 0x3c [0087.109] SetErrorMode (uMode=0x1) returned 0x0 [0087.109] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.110] SetErrorMode (uMode=0x0) returned 0x1 [0087.110] GetFileType (hFile=0x30c) returned 0x1 [0087.110] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-2340, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x4e [0087.112] CloseHandle (hObject=0x30c) returned 1 [0087.112] SetErrorMode (uMode=0x1) returned 0x0 [0087.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.114] SetErrorMode (uMode=0x0) returned 0x1 [0087.115] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0087.117] SetErrorMode (uMode=0x1) returned 0x0 [0087.117] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa20)) returned 1 [0087.117] SetErrorMode (uMode=0x0) returned 0x1 [0087.117] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0087.117] SetErrorMode (uMode=0x1) returned 0x0 [0087.117] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.117] SetErrorMode (uMode=0x0) returned 0x1 [0087.117] GetFileType (hFile=0x30c) returned 0x1 [0087.117] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-2574, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x12 [0087.119] CloseHandle (hObject=0x30c) returned 1 [0087.119] SetErrorMode (uMode=0x1) returned 0x0 [0087.120] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.121] SetErrorMode (uMode=0x0) returned 0x1 [0087.123] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0087.123] SetErrorMode (uMode=0x1) returned 0x0 [0087.123] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x99e)) returned 1 [0087.123] SetErrorMode (uMode=0x0) returned 0x1 [0087.123] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0087.123] SetErrorMode (uMode=0x1) returned 0x0 [0087.124] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.124] SetErrorMode (uMode=0x0) returned 0x1 [0087.124] GetFileType (hFile=0x30c) returned 0x1 [0087.124] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-2457, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x5 [0087.125] CloseHandle (hObject=0x30c) returned 1 [0087.126] SetErrorMode (uMode=0x1) returned 0x0 [0087.126] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.127] SetErrorMode (uMode=0x0) returned 0x1 [0087.128] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0087.128] SetErrorMode (uMode=0x1) returned 0x0 [0087.128] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x984)) returned 1 [0087.128] SetErrorMode (uMode=0x0) returned 0x1 [0087.128] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0087.129] SetErrorMode (uMode=0x1) returned 0x0 [0087.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.129] SetErrorMode (uMode=0x0) returned 0x1 [0087.129] GetFileType (hFile=0x30c) returned 0x1 [0087.129] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-2340, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x60 [0087.276] CloseHandle (hObject=0x30c) returned 1 [0087.277] SetErrorMode (uMode=0x1) returned 0x0 [0087.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.278] SetErrorMode (uMode=0x0) returned 0x1 [0087.281] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml", lpFilePart=0x0) returned 0x3d [0087.281] SetErrorMode (uMode=0x1) returned 0x0 [0087.281] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9fc)) returned 1 [0087.282] SetErrorMode (uMode=0x0) returned 0x1 [0087.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml", lpFilePart=0x0) returned 0x3d [0087.282] SetErrorMode (uMode=0x1) returned 0x0 [0087.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.283] SetErrorMode (uMode=0x0) returned 0x1 [0087.283] GetFileType (hFile=0x30c) returned 0x1 [0087.283] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-2457, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x63 [0087.284] CloseHandle (hObject=0x30c) returned 1 [0087.285] SetErrorMode (uMode=0x1) returned 0x0 [0087.285] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.286] SetErrorMode (uMode=0x0) returned 0x1 [0087.287] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0087.287] SetErrorMode (uMode=0x1) returned 0x0 [0087.288] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9d2)) returned 1 [0087.288] SetErrorMode (uMode=0x0) returned 0x1 [0087.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0087.288] SetErrorMode (uMode=0x1) returned 0x0 [0087.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.288] SetErrorMode (uMode=0x0) returned 0x1 [0087.288] GetFileType (hFile=0x30c) returned 0x1 [0087.288] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-2457, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x39 [0087.290] CloseHandle (hObject=0x30c) returned 1 [0087.290] SetErrorMode (uMode=0x1) returned 0x0 [0087.290] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.291] SetErrorMode (uMode=0x0) returned 0x1 [0087.292] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0087.292] SetErrorMode (uMode=0x1) returned 0x0 [0087.292] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa38)) returned 1 [0087.293] SetErrorMode (uMode=0x0) returned 0x1 [0087.293] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0087.293] SetErrorMode (uMode=0x1) returned 0x0 [0087.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.293] SetErrorMode (uMode=0x0) returned 0x1 [0087.293] GetFileType (hFile=0x30c) returned 0x1 [0087.293] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-2574, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x2a [0087.295] CloseHandle (hObject=0x30c) returned 1 [0087.295] SetErrorMode (uMode=0x1) returned 0x0 [0087.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.296] SetErrorMode (uMode=0x0) returned 0x1 [0087.297] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml", lpFilePart=0x0) returned 0x3c [0087.297] SetErrorMode (uMode=0x1) returned 0x0 [0087.297] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa3a)) returned 1 [0087.298] SetErrorMode (uMode=0x0) returned 0x1 [0087.298] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml", lpFilePart=0x0) returned 0x3c [0087.298] SetErrorMode (uMode=0x1) returned 0x0 [0087.298] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.298] SetErrorMode (uMode=0x0) returned 0x1 [0087.298] GetFileType (hFile=0x30c) returned 0x1 [0087.298] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-2574, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x2c [0087.300] CloseHandle (hObject=0x30c) returned 1 [0087.300] SetErrorMode (uMode=0x1) returned 0x0 [0087.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.302] SetErrorMode (uMode=0x0) returned 0x1 [0087.303] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0087.303] SetErrorMode (uMode=0x1) returned 0x0 [0087.303] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa12)) returned 1 [0087.307] SetErrorMode (uMode=0x0) returned 0x1 [0087.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0087.307] SetErrorMode (uMode=0x1) returned 0x0 [0087.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.307] SetErrorMode (uMode=0x0) returned 0x1 [0087.308] GetFileType (hFile=0x30c) returned 0x1 [0087.308] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-2574, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x4 [0087.311] CloseHandle (hObject=0x30c) returned 1 [0087.311] SetErrorMode (uMode=0x1) returned 0x0 [0087.311] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.312] SetErrorMode (uMode=0x0) returned 0x1 [0087.313] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0087.313] SetErrorMode (uMode=0x1) returned 0x0 [0087.313] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), fInfoLevelId=0x0, lpFileInformation=0xf1e510 | out: lpFileInformation=0xf1e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xbd0)) returned 1 [0087.314] SetErrorMode (uMode=0x0) returned 0x1 [0087.314] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0xf1df70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0087.314] SetErrorMode (uMode=0x1) returned 0x0 [0087.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x30c [0087.314] SetErrorMode (uMode=0x0) returned 0x1 [0087.314] GetFileType (hFile=0x30c) returned 0x1 [0087.314] SetFilePointer (in: hFile=0x30c, lDistanceToMove=-2925, lpDistanceToMoveHigh=0xf1e620*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0xf1e620*=0) returned 0x63 [0087.317] CloseHandle (hObject=0x30c) returned 1 [0087.318] SetErrorMode (uMode=0x1) returned 0x0 [0087.318] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.319] SetErrorMode (uMode=0x0) returned 0x1 [0087.320] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll", nBufferLength=0x105, lpBuffer=0xf1e290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll", lpFilePart=0x0) returned 0x45 [0087.320] SetErrorMode (uMode=0x1) returned 0x0 [0087.320] GetFileAttributesExW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll"), fInfoLevelId=0x0, lpFileInformation=0xf1e510) Thread: id = 7 os_tid = 0xdfc Thread: id = 8 os_tid = 0xb60 Thread: id = 9 os_tid = 0xe2c [0047.025] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0056.001] LocalFree (hMem=0x1099bc0) returned 0x0 [0056.001] LocalFree (hMem=0x1099d60) returned 0x0 [0056.001] CloseHandle (hObject=0x30c) returned 1 Thread: id = 12 os_tid = 0x13ec Thread: id = 13 os_tid = 0x12fc Process: id = "2" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xc6c1000" os_pid = "0xfd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x10c4" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 2 os_tid = 0xecc Thread: id = 3 os_tid = 0x6b4 Thread: id = 4 os_tid = 0xd9c Thread: id = 5 os_tid = 0xfc8 Thread: id = 6 os_tid = 0xb14 Thread: id = 10 os_tid = 0xe74 Thread: id = 11 os_tid = 0xec8